REPORT OF WORKING GROUP5 - (IP Networks, Standards and Cybersecurity)

Transcription

1 Doc No REPORT OF WORKING GROUP5 - (IP Networks, Standards and Cybersecurity) 1.0 Introduction The meetings of Working Group 5 (WG5) - IP Networks, Standards and Cybersecurity were held in Kigali, Rwanda from 12 th to 13 th December 2013, 15thto 17th April 2014 and in Arusha, Tanzania 16th to 17 th June Mr. Michael Katundu, the Chairperson of the WG welcomed members and chaired the meetings of the WG5. He thanked the team members for their continued support and fruitful deliberations in the meetings. 2.0 Attendance The meeting participants were drawn from EACO Member countries namely Kenya, Uganda, Tanzania, Rwanda, Burundi and EACO Secretariat. The full attendance list is contained inannex Agenda of the Meetings The agenda was adopted as follows: i. Opening of the Meeting ii. Adoption of the Agenda iii. Election of Bureau (1 st and 2 nd Rapporteurs) iv. Review of the status of the EAIX Action plan/feasibility study v. Action plan for the issues raised during EAIX Country visits vi. EAIX Project Document vii. Formulate TORs and selection criteria for the EAIX Steering Committee viii. Budgeting for implementation of the EAIX Project 1

2 ix. Preparations for the AUC Eastern Africa Regional Internet Exchange and Regional Internet Carrier Workshop x. Review of the Cybersecurity Action Plan and Country reports (questionnaire on Cybersecurity. xi. Any Other Business (AOB) xii. Adoption of the report xiii. Closure of meeting 4.0 Election of Bureau The bureau was elected as follows: i. Michael Katundu Chairperson Kenya (Appointed by EXCOM) ii. Patrick Mwesigwa - Vice Chairperson Uganda (Appointed by EXCOM) iii. Caroline Koech - Lead Rapporteur EACO Secretariat iv. Ghislain Nkeramugaba - 1st Rapporteur Rwanda v. Ms. Connie Francis - 2nd Rapporteur Tanzania 5.0 Key Decisions 5.1 Review of the status of the EAIX Action Plan/Feasibility Study The WG reviewed the status of the EAIX Action Plan in each of the EA countries. 2

3 The EAIX Project Action Plan consists of four phases as follows: THE EAIX PROJECT ACTION PLAN Phase 0 - Jan - Mar 2014 Phase 1 - Apr-Jun 2014 Phase 2 - Jul -Sep 2014 Phase 3 Oct Onwards No PHASE Key Decision Action Taken Remarks 1. Phase 0 (Jan - Mar Site visits to all EACO countries to assess All the 5 countries were It was established that countries 2014): level of implementation of National IXPs visited were at different stages of and management. implementation and management of their National IXPs Funding framework inter-ixp connectivity EACO/AUC Workshop on Regional IXPs and Regional Carrier workshop EAIX awareness for possible funding and support under the AXIS project Formation of the EAIX Steering Committee Communication sent to reporting to the WG5 Regulators to nominate representatives (1 EACO Secretariat should make EAIX funding requests (ITU, AUC, EU etc) Regulators should allocate budgets towards funding EAIX Kenya nominated its representatives. Uganda in the process of 3

4 member from the Regulator and 1 member from the ISP Association) to the Steering Committee nominating representatives by end of July Burundi nominated its representatives. Rwanda not yet. Tanzania not yet. Phase 1 (Apr - Jun 2014) Framework to enhance local content and content infrastructure Online applications EACO Secretariat to submit a request for funding to AUC among other development partners. Policy and legal framework in place Regulators should support local content development through initiatives like universal access among others Ongoing EACO Secretariat should make EAIX funding requests (ITU, AUC, EU etc) Regulators should allocate budgets towards funding EAIX 4

5 Noted 1 :That site visits to all the countries in the EA region led by the chairperson of WP1 were done by WG5 members to assess the status of phase 0 Noted 2:That some members of the WG5 were not able to participate in the country visits due to budget constraints. Agreed 1: To come up with a comprehensive budget for the EAIX project and seek funding where necessary. The table indicating the status of the Phase 0 (Jan March 2014) Action plan is attached as Annex Action plan for the issues raised during EAIX Country visits The issues raised by each of the member countries were documented as indicated in Annex 3. Noted3: That all the countries in the EA region had started the implementation of phase 0 however, the countries are at different stages of the implementation. Agreed2 : To encourage countries to continue with the implementation of the phases as per the action plan. Agreed3: To continue benchmarking within and outside the region as necessary. 5.3 EAIX Project Implementation Document The WG members discussed and documented an EAIX Project Implementation Document as indicated in Annex 4. Noted 4: There needs to have a working document for the EAIX project Agreed 4: To develop an EAIX project Document as a guide for the project implementation 5

6 5.4 Formulate TORs and selection criteria for the EAIX Steering Committee The working group formulated the TORs for the EAIX Steering Committee as attached in Annex 4. Noted 5: The need for member states to nominate two (2) representatives to the EAIX steering committee, one representative from the Regulator and another representative from the ISP/IXP association. Agreed 5:EACO Secretariat to send letters to Regulators by May 2014 requesting them to facilitate the nomination of two (2) representatives to the EAIX steering committee, one representative from the Regulator and another representative from the ISP/IXP association by June Budgeting for implementation of the EAIX Project Noted 6: Budget estimates for the implementation of EAIX project prepared Annex 6. Agreed 6: EACO Secretariat tasked with sourcing of funds for the EAIX project based on the budget estimates and the Project document. 5.6 Preparations for the AUC Eastern Africa Regional Internet Exchange and Regional Internet Carrier Workshop Noted 7: The importance of the EACO Member States participation in theauc Eastern Africa Regional Internet Exchange and Regional Internet Carrier Workshop Agreed 7: EACO Secretariat to prepare a presentation for the workshop. Agreed 8:EACO Secretariat to sendlettersto AUC and other possible funding bodies requesting for funding for the EAIX project. 6

7 Agreed 9: EACO Secretariat to present the budget to EXCOM and brainstorm on fundraising options. Agreed 10:EACO to send invitation letters to EACO backbone carriers to participate in the workshop. Noted 8: The EACO Secretariat report of the AU-Eastern Africa Regional Internet Exchange Point (RIXP) and Regional Internet Carrier (RIC) Workshop that took place in Kigali, Rwanda from 26 th 30 th May 2014 Annex 8 Agreed 11: EACO Secretariat should liaise with the EACO Regulators and nominate three (3) National IXPs for funding by the AUC to grow into Regional IXPs. 5.7 Review of the Cybersecurity Action Plan and Country reports Noted 9: To recommend strategies for implementation of Cybersecurity national frameworks, including establishment and operationalization of National Computer Emergency Response Team (CERTs)/Computer Incident Response Team (CIRT)/Computer Security Incident and Response Team (CSIRT) in each EACO Member countries Annex 7 Agreed 12: Develop a National Cybersecurity questionnaire/ checklistof requirements for implementation and operations of national CERTs/CIRTs/CSIRTs).The Regulators will be expected to complete the National Cybersecurity questionnaire semi-annually (June and December)Annex 5 Agreed 13: Regulators to submit the initial completed National Cybersecurity questionnaire by December RECOMMENDATIONS After deliberation, the WG5 recommends the EACO Assembly of Regulators to approve the WG5 report. 7

8 Mr. Michael KATUNDU Chairperson WORKING GROUP 5 - (IP Networks, Standards and Cybersecurity) 8

9 ANNEX 1: LIST OF PARTICIPANTS No Names Position & Institution Country Phone No 1 Mrs. ARCT BURUNDI [email protected] Ngarukiyinka Ange 2 Mr. Ndayizeye Egide IT/ARCT BURUNDI [email protected]; [email protected] 3 Mr. Sinarinzi Alexis 4 Mrs. Caroline Koech 5 Mr. Michael Katundu 6 Mr. Emmanuel Tarus 7 Mr. Robert Nkeramugaba 8 Mr. Ghilain Nkeramugaba 9 Mr. Philippe Bugingo 10 Mr. Dusenge Emmanuel 11 Mr. Ghilain Nkeramugaba 12 Mrs. Anita Hodari B. Legal Officer/ARCT BURUNDI [email protected] Liaison Manager/ICT EACO Secretariat [email protected] CCK KENYA [email protected] Safaricom-KENYA KENYA [email protected] Broadband System Specialist/ RDB RWANDA [email protected]/ [email protected] RICTA RWANDA [email protected] TIGO RWANDA [email protected] MYCT RWANDA [email protected] RICTA RWANDA [email protected] RURA RWANDA [email protected] 9

10 13 Mr. Jean Pierre Nshimiyimana 14 Mr. Aminadab Bararwerekana 15 Mr. Ntambara Emmanuel 16 Mr. Matsiko Gonzague 17 Mr. Christophe Nkurunziza Hardware RWANDA Engineer/RURA Rwanda Post Office RWANDA RURA RWANDA Postal Regulation Officer- RURA RWANDA MTN RWANDA Mr. Gatete John Liquid Telecom Rwanda RWANDA Mr. Charles Mugisha 20 Mrs. Connie Francis 21 Ms. Clara Mramba 22 Mr. Ronald Bakakimpa 23 Mr. Patrick Mwesigwa Head of Cyber Security / RDB RWANDA [email protected] TCRA TANZANIA [email protected] TISPA/Smile Tanzania TANZANIA [email protected] UCC UGANDA [email protected] UCC UGANDA [email protected] 10

11 ANNEX 2 Status of the Phase 0 (Jan March 2014) Action plan Phase 0: 1 st January 2014 to 31 st March 2014 Inward focus: Enhance integrity of the national IXP switching STAKEHOLD Inward focus Burundi Kenya Rwanda Tanzania Uganda ER Ministry for ICT and ICT regulator Incorporate IXP in policy as a critical infrastructure Recognition on its role on critical traffic Burundi is currently formulating an IXP policy and the provisions of treating it as a critical infrastructure will be included. The National Broadband Strategy recognizes IXP and discusses about redundancy of IXP. The Ministry of ICT should recognize IXP in the ICT policy. Rwanda has developed guidelines related to IXP and has set up a new governance structure of RINEX. In the future, the IXP will be included into the broadband policy. The 2003 National ICT Policy captured importance of IXPs as national infrastructure although by then there was no IXP in the country. The Ministry has reviewed the national ICT policy 2003 and IXP has been captured under national ICT infrastructure. The ICT policy which is under review to recognize IXP. The broadband strategy to recognize IXP as critical infrastructure ICT regulator Regulatory framework of the IXP Burundi has established BurundiX CCK has licensed the IXP services. RURA and RICTA have signed a MoU that Regional and International cooperation has been recognized as an important aspect for sustainable ICT exploitation. TISPA is a registered association In process of reviewing 11

12 STAKEHOLD ER ICT regulator Inward focus Burundi Kenya Rwanda Tanzania Uganda is clarified and implemented. A regulatory mechanism is put in place to provide oversight on the IXP management and engagement of the stakeholders. Develop statistical indicators of growth and reporting mechanisms as a tool to empower in March 2014, hosted at National University of Burundi. The BurundiX is managed by Burundi ISP Association on volunteer bases. The regulator will develop a reporting framework of indicators that will include traffic volume, number of peers etc to be provided by the CCK has advised KIXP to start providing quarterly statistics of the traffic exchanged. Reporting mechanism has been agreed upon with national IXP management. clarify oversight management of the RINEX that includes periodic reports of performance and management of IXP. The regulator has put in place reporting mechanism through the MoU. The reporting is on quarterly basis. managing the 1st IXP currently considered as national IXP, TIX. The additional local IXPs deployed in other parts of the country are initiatives of the private sector/ TISPA with funding support from TCRA. There is a regulation requiring all ISPs to connect to the nearest IXPs and to interconnect between themselves. All existing IXPs are required to connect to TIX which is the Tanzanian IXP The reporting mechanism is in place. management structure to foster multi-stakeholders engagement. The regulator is in process of reviewing ISP licensing framework to improve existing regulatory mechanisms. No IXP regulatory framework. In the process of exploring different regulatory mechanisms by 31 st May Reporting mechanism has been agreed upon with current IXP management. 12

13 STAKEHOLD ER Inward focus Burundi Kenya Rwanda Tanzania Uganda monitoring growth and basis of intervention. National operators quarterly bases IXP on ICT regulator ICT regulator Working group 5/EACO Secretariat A mechanism to be put in place requiring reports on the indicators that include traffic volumes being switched at the national and regional level, peering partners. Organize a forum to Regulator to engage all organize a stakeholders and to consultative meeting review governance that will include the structure where ISPs, necessary Government in order to develop a governance structure for IXP Project Management Regulator in collaboration with the national IXP to nominate two Reporting mechanism has been agreed upon with national IXP management. Reporting mechanism for regional traffic exchange be put in place when the national IXP starts being involved in transit services Governance structure in place Regulator in collaboration with the national IXP to nominate 2 The regulator has put in place reporting mechanism through the MoU. The reporting is on quarterly basis. Reporting mechanism for regional traffic exchange be put in place when the national IXP starts being involved in transit services Regulator organized a consultative meeting that included the ISPs, Government. The ISPs agreed to cooperate through RICTA. Regulator in collaboration with the national IXP to nominate 2 members The reporting mechanism for the national traffic is in place. Reporting mechanism for regional traffic exchange be put in place when the national IXP starts being involved in transit services Governance structure in place Regulator in collaboration with the national IXP to nominate 2 Reporting mechanism has been agreed upon with national IXP management. Reporting mechanism for regional traffic exchange be put in place when the national IXP starts being involved in transit services The forum has been organized and the governance structure is being reviewed, to be completed by 31 st May 2014 Regulator in collaboration with the national IXP to nominate 2 members 13

14 STAKEHOLD ER EACO Secretariat Inward focus Burundi Kenya Rwanda Tanzania Uganda Funding framework for inter-ixp connectivity members to the EAIX Steering Committee (1 from the regulator and 1 from the ISPA/IXP) Participate in expression of interest members to the EAIX Steering Committee (1 from the regulator and 1 from the ISPA/IXP Participate in expression of interest to the EAIX Steering Committee (1 from the regulator and 1 from the ISPA/IXP Participate in expression of interest members to the EAIX Steering Committee (1 from the regulator and 1 from the ISPA/IXP. Participate in expression of interest to the EAIX Steering Committee (1 from the regulator and 1 from the ISPA/IXP Participate in expression of interest ISP Association or forum bringing together ISPs ISP Association or forum bringing To send a formal letter to AUC to inform AUC of the interest of EACO to participate in the request for initial funding for the regional IXP project Peering policy/operational guidelines developed and implemented Determine and aggregate traffic originating and terminating in the region The association is in place and it includes ISP/telecom operators and individuals. Draft peering policy/ operational guidelines in place Develop a determination and reporting mechanism in collaboration with Established Established Established To be established Peering policy developed by KIXP, published on its website Develop a determination and reporting mechanism in collaboration with Peering guidelines developed by RINEX and published Develop a determination and reporting mechanism in collaboration with the regulator and Peering policy developed by TIX, published and gazetted Develop a determination and reporting mechanism in collaboration with Peering policy/ operational guidelines are being reviewed. Develop a determination and reporting mechanism in collaboration with the regulator and 14

15 STAKEHOLD ER together ISPs IXP manageme nt Inward focus Burundi Kenya Rwanda Tanzania Uganda Skilled experienced experts, I and ICT Integrity on power, redundancy/bcp, IXP switching capacity and traffic monitoring, security Best Practices and Standards the regulator and measure the traffic. the regulator and measure the traffic. measure the traffic. the regulator and measure the traffic. measure the traffic. Adequate Adequate Adequate Adequate Adequate Adequate Adequate Adequate Adequate To be improved. The redundant Available To provide a Available To provide a (secondary) IXP and redundant (secondary) redundant (secondary) connectivity is in IXP IXP and connectivity place through BBS. Increase IXP switching capacity and traffic monitoring capabilities. Incorporate security in the establishment of the IXP Increase IXP switching capacity and traffic monitoring capabilities. Increase IXP switching capacity and traffic monitoring capabilities. Increase IXP switching capacity and traffic monitoring capabilities. Increase IXP switching capacity and traffic monitoring capabilities. Adequate Adequate Adequate To be improved Network operators Backbone operators Establish traffic volume and patterns to the respective countries in the region EACO Secretariat to coordinate a review of regional interconnection of the East Africa Backbone Systems (EABS), taking into account the work of the relevant working group Provide the data as required by the regulator Participate in the review meetings and rectify what may be missing Provide the data as required by the regulator Participate in the review meetings and rectify what may be missing Provide the data as required by the regulator Participate in the review meetings and rectify what may be missing Provide the data as required by the regulator Participate in the review meetings and rectify what may be missing Provide the data as required by the regulator Participate in the review meetings and rectify what may be missing 15

16 ANNEX 3 AGREED WAY FORWARD DURING THE EAST AFRICA COMMUNICATIONS ORGANIZATION S (EACO S) EAST AFRICA INTERNET EXCHANGE (EAIX) WORKSHOP KENYA - WORKSHOP HELD ON 7 TH APRIL 2014, AT THE SAROVA STANLEY HOTEL, NAIROBI, KENYA ISSUE REMARKS BY WG5 WAY FORWARD 1. There is need to benchmark with Europe, India and Sweden in implementing cross boarder connectivity, which is necessary towards implementing the EAIX. 2. Review the need for funding and resources required in supporting local Internet Exchange Points (IXPs). To be included as a TOR for the EAIX Steering Committee, Include Nigeria in the benchmarking Send a liaison note to the relevant WG to address the cross border issues. To be addressed under budgeting 3. Get buy in from stakeholders through awareness campaigns. Develop clear business models for National IXPs, ensuring the IXPs themselves have the right models so that the various stakeholders can buy into the idea. Stakeholder engagement is ongoing. In the process of finalizing the model 4. Respective ICT Regulators and EACO Secretariat should invite ISPs /Telecom/national IXP operators to Involvement of the private sector in this project is critical 16

17 participate in the EACO Working Group 5 (on IP Networks, Standards and Cybersecurity) meetings. Further, the ICT Regulators and EACO Secretariat should facilitate ISPs /Telcom/IXP operators to attend all EACO meetings, including Working Group meetings. The private sector delegation to the EACO meetings should consist of at least three (3) people as follows: a. One (1) from the national IXP; b. One (1) person from a large ISP; and c. One (1) from a small ISP. This request will be considered through the budgetary allocation 5. Encourage and facilitate (where necessary) National IXPs to promote value added services at the exchange point in addition to basic traffic switching. This would include offering Route Server and Transit services. To be addressed in the model EAIX 6. The emphasis of the project should be to keep regional traffic local to the region. However the technical how-to of moving the traffic within the region should be left to the national IXPs and their stakeholders. 7. There should be harmonization of the regional regulatory framework governing National IXPs peering policies. 8. Measurement of the traffic/data being exchanged regionally should be collected from the National IXPs by their respective Regulatory Authorities addressing this. 17

18 ICT Regulatory Authorities. This exercise should be done on a quarterly basis and should commence from 1 st July The received data should be aggregated to indicate the total traffic/data routed within the EA region. The statistics would inform on the amount of traffic being exchanged within the EA region as well as the amount of traffic going out of the EA region. TANZANIA - WORKSHOP HELD ON 3RD APRIL 2014, AT THE TCRA, DAR ES SAALAM, TANZANIA 1. Consider the sustainability of the EAIX once the project is complete To be addressed in the EAIX model 2. Adoption of interconnection best practice through benchmarking. An example was given on the issues of some countries charge( TZ&KE) while others give connectivity for free(ug). This may cause unequal playing grounds on the EAIX as some may be incurring more costs at the national level. The operations and management of the IXPs should not be done as charitable organization so as to establish commercial interest to the stakeholders. Benchmarking is encouraged. 18

19 3. It was recommended that the project implementation of the different phases to be expedited in parallel in order to meet project timelines. 4. The project would be commercially viable only if the volume of traffic between the countries in the region in high. Feasibility study should be done to take into account the volume of traffic as it is a critical indicator for the sustainability of the project. High traffic volume would establish commercial sense on the market situation. To be addressed through the regulatory frameworks 5. We need to consider that the IXP could eventually be used to provide additional services besides internet e.g. interconnection clearing houses including carrying voice traffic Value added services The regulatory framework should address the mandate of the National IXPs 6. Promotion of development of local hosting and local caching Value added services Need for local hosting and local caching standards, towards encouraging international players e.g. google, yahoo, facebook, akamai etc to host their secondary servers in the EA region 19

20 7. We need to define the requirements for the IXP infrastructure for it to be regarded as a National critical infrastructure. The main concern was to consider what critical infrastructure mean to each member nation? WG5 should identify Critical ICT Infrastructure for the EA region and propose means for its protection (CIIP). Ministries of ICTs to recognize IXPs in their ICT policy as Critical ICT Infrastructure. Regulators to provide support to the National IXPs RWANDA - WORKSHOP HELD ON 14TH APRIL 2014, AT THE KARISIMBI HOTEL, KIGALI, RWANDA 1. There is need to ensure we raise resources for the EAIX project in a timely manner and ensure that the resources are channeled to the right place. To be addressed in the budgeting 2. Ensure early engagement with backbone operators. EACO Secretariat to address 3. Develop a clear business model/sustainability model for the regional IXP The EAIX project model should include - Sustainable/economical model 4. THE Steering Committee should have subcommittees focusing on EACO Secretariat and EAIX Steering 20

21 the business model /sustainability model and another group focusing on the technical issues with clear objectives and timelines Committee to address 5. There is need to have capacity and awareness creation for this project Ongoing 6. We should consider empowering the national IXPs to start offering regional transit as a long term solution. In the short term we can find a model where operators will manage it. The national IXPs to ensure that regional traffic is kept local to the region To be addressed in the EAIX project model 7. There needs to be a document which specifies the details of the project e.g. funding, design etc which once completed should be implemented by all countries. A phased approach in line with Action Plan of the feasibility study. EACO Secretariat to keep records 8. All National IXPs should consider having a route server to ease the regional integration (EAIX). Best practice 9. We need to promote the National IXPs to be concerned about traffic that is going outside the country To be addressed in the regulatory framework 21

22 and specifically to the region. 10. All operators should be given equal rights to provide transit (regional peering) services. Any operator peering at the IXP should be able to offer transit services in the region. This is an operational issue and hence to be addressed by the National IXPs and ISPs. 11. Costing Model - are there policies required for this? 12. Volumes of traffic...will the National IXP be able to manage the traffic for the region? To be addressed in the EAIX model National IXPs will provide routing infrastructure capable of carrying regional EAIX traffic. The infrastructure carrying EAIX peering traffic should be leased from the operators. 13. IXP needs to be considered as critical infrastructure so that the IXP needs to be capable of The issues raised were in Uganda were similar to Kenya, Tanzania and Rwanda. Being addressed by ICT Ministries and Regulatory Authorities. UGANDA - WORKSHOP HELD ON 31ST MARCH 2014, AT UCC, KAMPALA, UGANDA BURUNDI - WORKSHOP HELD ON 10TH APRIL 2014, XXXX, BUJUMBURA, BURUNDI The issues raised were in Burundi were similar to Kenya, Tanzania and Rwanda. 22

23 ANNEX 4 EAIX PROJECT IMPLEMENTATION DOCUMENT Table of Contents 1.0 Executive Summary Background of the EAIX Project Project outline Topology of the EAIX Technical requirements and specifications Bandwidth Requirements Equipment Requirements Establishment of adequate connectivity links between the national IXPs Establishment of terminating equipment for connectivity links Resources required Funding (Startup/Operational) Requirements Possible Sources of Funding Regulatory Requirements...Error! Bookmark not defined. 23

24 1.0 Executive Summary Section (2.0) addresses the background of the EAIX Project, Section (3.0) addresses the Project outline, Section (4.0) addresses the Topology of the EAIX Project, Section (5.0) addresses the Technical requirements and specifications of the EAIX Project, Section (6.0) addresses Resources required to implement the EAIX Project, Section (7.0) addresses the Funding required and the possible sources for funding the project startup and operations, Section (8.0) addresses the possible sources of funding, and Section (9.0) addresses the possible Regulatory requirements for the EAIX Project. 2.0 Background of the EAIX Project Inadequate interconnection between ISPs and IXPs in the East African region has often resulted in the routing of local traffic over expensive international links to reach destinations within the East African region. This leads to capital flight as communication providers have to incur costs for international circuits outside East Africa. The East African Communications Organisation (EACO) Congress approved the formation of the EAIX taskforce to work on possible ways of interconnecting all National Internet Exchange Points (IXPs) installed in their countries. The objective is to keep regional traffic local within East Africa. The EACO members include Uganda, Tanzania, Kenya, Burundi and Rwanda. The benefits of interconnecting the East Africa IXPs, leading to a virtual EAIX, are as follows: To improve the quality of internet services within East Africa, including network reliability, latency, packet loss, among others Reduction of cost of connectivity Reduce data exposure to entities located in other regions (privacy) by localizing traffic Ease in cyber security management Content hosting within the region due to improved regional access speeds Increased internet penetration in the region due to reduction of cost 3.0 Project Outline The project comprises of i. Establishment of national IXPs in each of the East African countries ii. Identification of technical requirements for the EAIX as follows o Identification of minimum bandwidth requirements for the national IXPs o Establishment of adequate transit/peering links between the national IXPs. o Establishment of terminating equipment for transit/peering links, among others iii. Development of operational guidelines of the EAIX iv. Identification of requirements for financial assistance v. Interconnection of the national IXPs to form an East African Internet Exchange (EAIX) vi. Monitoring and Evaluation mechanisms vii. Capacity building and awareness creation. 24

25 4.0 Topology of the EAIX The EAIX project will entail national IXPs to engage in regional peering of the East Africa traffic, in addition to the existing switching services. The initial topology of the EAIX will be a Ring topology. However, the EAIX topology is envisaged to evolve into a full Mesh topology over the years. The following are the advantages of a ring topology: No requirement for an independent entity to be created to manage it. Low operational cost(distributed resources); Technically easy to implement Economical in initial connectivity (minimal number of connections/links required); Redundancy ensured. The following are the advantages of a full Mesh topology: No requirement for an independent entity to be created to manage it. Redundancy is ensured; Minimal latency Ring Topology Full Mesh Topology 25

26 5.0 Technical requirements and specifications 5.1 Bandwidth Requirements The minimum bandwidth for the transit/peering links between the national IXPs will be STM1 (155 Mbps). This is an indicative number; a comprehensive method of dimensioning the links and bandwidth should be carried out by the EAIX Steering Committee. To achieve the desired capacity and scalability, this has to be implemented over fiber infrastructure. 5.2 Equipment Requirements per National IXP i. Minimum of two (2) Routers : o hardware forwarding capability o dual stack IPv4 and IPv6 o capable of at least forwarding 5Gbps o at least 4x STM-1 interfaces, upgradable to 4x STM-4 interfaces o at least 3x Gigabit Ethernet interfaces ii. Minimum of two (2) Switches iii. Minimum of two (2) Servers In addition: 1) Each national IXP shall be required to have : i. Public Autonomous System Number(ASN) ii. Public IP address space for the peering LAN 2) Each national IXP shall be required to establish BGP peering session with its adjacent National IXPs in order to exchange routing information. 3) Each national IXP shall be required to have qualified personnel. 5.3 Establishment of adequate transit/peering links between the national IXPs i. Sourcing for capacity and links between the IXP and the transit carrier ii. Sourcing for capacity and links between the national IXPs, with failover capabilities 5.4 Establishment of terminating equipment for transit/peering links Availability of adequate interface between the transit carrier and the National IXP, in such a way that it avoids bottlenecks/traffic congestion. 6.0 Resources required by the respective National IXPs i. Hardware (routers, switches, interfaces, servers, etc) ii. Software (Traffic analyzer, Website, management system, etc) iii. Internet Protocol : Dual Stack IPv4 and IPv6 iv. Routing Protocol : BGP 26

27 v. Human resources(capacity building and awareness creation) vi. Transit/peering links capacity vii. Tier 2 datacenter services/setup 7.0 Funding (Startup/Operational) Requirements This is mainly the funding for the above (6.0) identified required resources, in addition to the operations of the EAIX for a period of three (3) years. After three (3) years the EAIX is expected to be self sustainable. 8.0 Possible Sources of Funding i. National IXPs ii. EACO members iii. East African Community (EAC) iv. International Telecommunications Union (ITU) v. Universal Access Funds for the EACO region vi. Non EACO members within the East African region vii. African Union Commission (AUC/AXIS) viii. Development partners (World Bank, African Development Bank, United Nations Development Programme, USAID, EU, etc) ix. Internet Society (ISOC), among others 9.0 Regulatory Requirements The EAIX topology adopted is a shift from the normal operations of IXPs that was meant to be within a single country. Therefore cross border connectivity will require review on the current regulatory arrangements. In addition: i. Each ISP shall be required to be connected to the respective national IXPs. ii. Each ISP shall be required to route its East Africa regional traffic either through the respective national IXP or through other arrangements as long as the East Africa traffic is kept local within the region. iii. Tariffs and interconnection rates on EAIXP iv. Harmonization of licensing of ISPs and national IXPs in the East Africa region v. Dispute resolution mechanisms 10.0 Business Model of the EAIX Currently we have transit carriers within EA who are carrying traffic within the EA region. However, some of this traffic goes through other countries outside the EA region, before being delivered to its destination in the EA region. The National IXPs, in addition to switching services, will need to start offering transit services between National IXPs in the EA region. This can be achieved through the national IXPs leasing 27

28 transit links capacity from the available transit carriers. The National IXPs should purchase transit/peering link capacities from the existing EA region transit carriers Governance and operations of the EAIX The National IXPs should be recognized in policy documents as a National ICT Infrastructure. Regulatory frameworks should be put in place to enhance the operations of the national IXPs, including offering regional traffic transit/peering services. National Regulators in collaboration with the national IXPs are to nominate two (2) members to the EAIX Steering Committee (1 from the regulator and 1 from the ISPA/National IXP) An EAIX Steering Committee consisting of eleven (11) members as follows: one (1) representative from each National IXP one (1) representative from EACO Secretariat one (1) representative from the East Africa Regulatory Authorities The EAIX Steering Committee shall report to the EACO Congress. EACO Congress Assembly of Regulators Working Group 5 EAIX Steering Committee RINEX BurundiX KIXP TIX UIXP EAIX The mandate of the EAIX Steering Committee will be to advise, implement, coordinate and manage the operations of the EAIX. The TORs for the Steering Committee are as follows: i) Advise on EAIX project implementation ii) To coordinate the operations of the EAIX (National IXPs) 28

29 iii) Capacity building and awareness creation on EAIX iv) Develop and implement the Peering policy/operational guidelines for the EAIX v) Determine and aggregate traffic originating and terminating in the EA region vi) Ensure the best practices are implemented vii) Review regional interconnection and status of the East African Backbone System (EABS) viii) Develop operations charter. ix) Make recommendations on policy, legal and regulatory frameworks, among others. Each of the entities will decide on the selection criteria of its representative. The representative should have the relevant competence in IXP management. The members of the EAIX Steering Committee should elect the Chairperson, Vice Chairperson and any other necessary officials. The Steering Committee should meet on a quarterly basis. EACO Secretariat should have a budgetary allocation for the non regulatory members to participate in the EAIX Steering Committee meetings. The respective Regulatory Authorities should support their representatives to participate in the EAIX Steering Committee meetings. 29

30 Annex 5 EACO WORKING GROUP 5 (IP NETWORKS, STANDARDS AND CYBER SECURITY) NATIONAL CYBERSECURITY QUESTIONNAIRE Please fill out this questionnaire electronically and your responses to Ms Caroline Koech [email protected] Mr Michael Katundu [email protected] The National Cybersecurity Index aims to effectively measure each state s level of cybersecurity development. The ultimate goal is to help foster a national culture of Cybersecurity and its integration at the core of information and communication technologies (ICT). The questionnaire focuses on the following five work areas: Legal Measures, Technical and Procedural Measures, Organizational Structures, Capacity Building and International Cooperation.These five designated areas will form the basis of the indicators for the national cyber security index. You are kindly invited to participate in a benchmarking exercise aimed at assessing the current situation of your Country. 30

31 RESPONDING COUNTRY (including contact information) QUESTIONS RESPONSES 1A. Is there any criminal legislation regarding cyber activities? If so, please specify Include URL, title of laws/acts/articles 1B. Is there any legislation regarding data protection? If so, please specify Include URL, title of laws/acts/articles 1C. Is there any regulation regarding cybersecurityand compliance requirements? If so, please specify Include URL, title of laws/acts/articles 2A. Is there one (or more) officially approved national or sector-specific CERT, CIRT or CSIRT team(s)? If so, please specify the names and number and whether they are legally mandated or not Include URL, official name 2B. What services are offered under the recognised CERT, CIRT or CSIRT. 2C. Does the CERT, CIRT, CSIRT have approved policies? Include titles 2D. Has the CERT, CIRT, CSIRT established any partnerships or joined FIRST? What benchmarking exercises did the CIRT, CERT or CSIRT undertake or plan to undertake? Include name and URL 2E. Is there any framework regarding cyber crime information sharing? If so, please specify Include name and URL 2F. Is there any officially-approved national (and sector specific) cybersecurity frameworks for implementing internationally recognized cybersecurity standards?if so, please specify 31

32 Include URL, official name of framework, responsible agency (and contact details) and short description 3A. Is there any officially recognised national or sector-specific cybersecurity strategy and/or policy? If so, please specify Include URL, official name of strategy/policy, responsible agency (and contact details) and short description 3B. IS there any officially recognised national or sector-specific governance roadmap for cybersecurity? If so, please specify Include URL, official name of roadmap, responsible agency (and contact details) and short description 3C. IS there any officially recognised national or sector-specific agency responsible for implementing a national cybersecurity strategy/policy/roadmap? If so, please specify Include URL, official name of responsible agency (and contact details) and short description of responsibilities 3D. Is there any officially recognised national or sector-specific benchmarking exercises or referential used to measure cybersecurity development? If so, please specify Include URL, official name of benchmarking exercise, responsible agency (and contact details) and short description 4a. Is there any officially recognized national or sector-specific research and development (R&D) programs/projects for cybersecurity standards, best practices and guidelines to be applied in either the private or the public sector? If so, please specify Include URL, official name(s) of programs/projects/best practices/guidelines, responsible agency(ies) (and contact details) and short description 4B. Is there any officially recognized national or sector-specific educational and professional training programs for raising awareness with the general public, promoting cybersecurity courses in higher education and promoting certification of 32

33 professionals in either the public or the private sector? If so, please specify Include URL, official name(s) of programs/projects, responsible agency(ies) (and contact details) and short description 5A. Are there any recognized national or sectorspecific partnerships for sharing Cybersecurity assets or information across borders with other states? If so, please specify Include URL, official name of partnership, responsible national agency (and contact details), participating countries, and short description 5B. Are there any officially recognized national or sector-specific programs for sharing cybersecurity assets within the public sector? If so, please specify Include URL, official name of program, responsible agency (and contact details), participating organizations, and short description 5C. Are there any officially recognized national or sector-specific programs for sharing cybersecurity assets between the public and private sector? If so, please specify Include URL, official name of program, responsible national agency (and contact details), participating organizations, and short description 5D. Are there any officially recognized participation in regional and/or international cybersecurity platforms and forums? If so, please specify Include URL, official name of platform/forum, responsible national agency (and contact details), participating countries, and short description T H A N K Y O U! 33

34 Annex 6: Budget for Implementation ofthe EAIX Project and One (1) Year Operational Costs No. ITEM QUANTITY UNIT COST EQUIPMENT PER NATIONAL IXP (USD) SUBTOTALS TOTAL COST (USD) Minimum of two (2) Routers 10 55, ,000 Minimum of two (2) Switches Minimum of two (2) Computer Servers 10 50, , ,000 40,000 Racks 10 2,000 20,000 1,110,000 SOFTWARE Traffic analyzer and Network monitoring system 5 15,000 75,000 Website development/upgrade 5 1,000 5,000 80,000 HUMAN RESOURCES 5 days Training for the National IXP technical team (at least 2 people per IXP) for startup ,000 Trainers cost 5 days 1,500 7,500 37,500 34

35 INFRASTRUCTURE SETUP Installation costs for the capacity and links (1 STM1) between the national IXPs, with failover capabilities 5 10,000 50,000 50,000 OPERATIONAL EXPENDITURE FOR ONE (1) YEAR Recurrent Capacity and links (1 STM1) between the national IXPs, with failover capabilities =200*155*5*12*1) per month 1,860, Maintenance and repairs (`5% of the hardware budget) 5 60,000 Tier 2 datacenter services (5 countries for one (1) year) 84 rack unit 200 1,000,000 2,920, TRAVEL Funding for the EAIX Steering Committee meetings : (3 day quarterly meetings ) 4 20,800 =(200*4*4*4)+(500*4*4) i) 5 members from the National IXPs 35

36 ii) 1 member from the EACO Secretariat 1 9,200 30,000 TOTAL 4,227,500 36

37 Annex 7 WORKING GROUP 5 - WP 2- CYBER SECURITY CHAIRED BY BAKAKIMPA RONALD, UGANDA ACTION PLAN No. TOR TASK ACTIVITY OUTPUT RESPONSIBLE TIMEFRAME 1. To recommend Review status of Develop a checklist of Checklist WP2 Chairperson Dec - 31st Jan strategies for implementation of requirements for 2014 implementation of cyber security implementation and Cybersecurity national national frameworks, operations of national frameworks, including including CERTs/CIRTs/CSIRTs) establishment and establishment and operationalization of operationalization of National Computer national CERTs WG5 chairperson to Completed WG5 Chairperson/ Feb - April 2014 Emergency Response send the checklist to checklist EACO LM-ICT Team EACO LM-ICT for (CERTs)/Computer forwarding to regulators Incident Response for completion and send Team (CIRT)/Computer back to EACO Security Incident and secretariat. Response Team (CSIRT)in each EACO Member countries. 37

38 Compile a status report for presentation to the WG5 Status report WP2 Chairperson July - August To develop and implement a regional strategy for collaboration of the National Formal Extract the National communication on CERTs focal point the National CERTs contacts from the status focal points checklist National CERTs WP2 Chairperson April - May focal point 2014 contacts Capacity building and Identify areas for Areas of focus and WP2 Chairperson July - August 38

39 CERTs/CIRTs/CSIRTs in awareness creation capacity building, target groups 2014 order to facilitate on Cybersecurity awareness creation and timely response to target groups cyber security Develop a draft capacity Draft capacity WP2 Chairperson August - Sept incidents within the building and awareness building and 2014 region. creation proposal and awareness submit to WG5 creation proposal Submit the capacity Communication WG5 Chairperson/ October 2014 building and awareness EACO LM-ICT creation proposal to EACO secretariat to source for support Conference on Conference/ WP2 Chairperson Feb Cybersecurity (capacity Workshop building and awareness creation) Develop guidelines for Draft guidelines WP2 Chairperson April - June information exchange by 2014 National CERTs Present draft WP2 Chairperson Oct 2014 guidelines to WG5 Present to EACO Assembly for WG5 Chairperson/ EACO LM-ICT May - June

40 approval 3. To recommend Review the status WP2 to review the status Recommendations WP2 Chairperson July - August regional mechanism checklist received checklist and make to WG for collaboration of from member recommendations to the national countries for action WG5 CERTS/CIRTs/CSIRTs with international partners and other national entities National CERTs to be a member of FIRST, ITU/IMPACT Prepare a checklist of requirements for joining FIRST Requirements joining FIRST for WP2 Chairperson July - August 2014 involved with the management of cyber security WG5 Chairperson to send the requirements to EACO LM-ICT for Communication WG5 Chairperson/ EACO LM-ICT forwarding to Regulators for implementation by National CERTs. 40

41 4. Develop and Develop a template WP2 Chairperson and Report template WP2 Chairperson/ By April 2014 recommend for submission of EACO LM-ICT to develop EACO LM-ICT mechanism for annual national a draft template and providing annual Cybersecurity reports seek inputs from regional Cyber Security by regulators members reports to EACO Assembly. WG5 Chairperson to Communication WG5 Chairperson/ send the template to EACO LM-ICT EACO LM-ICT for forwarding to regulators for implementation. Compile the annual Annual report WG5 Chairperson report for presentation to the Assembly 5. To review and develop 2nd cycle requirements/guidelin es and standards for Cyber Security. 6. To identify and 2nd cycle 41

42 recommend solutions to operational issues (commercial, quality of service/ Service Level Agreement, peering arrangements) relating to Cyber Security. 7. To conduct studies and research on Cyber security aimed at improving the security and operations of existing systems and critical infrastructure within the region. 2nd cycle 42

43 Annex 8 AU-Eastern Africa Regional Internet Exchange Point (RIXP) and Regional Internet Carrier (RIC) Workshop Report 43