Cybersecurity and Cybercrime. Ministry of National Security

Transcription

1 Cybersecurity and Cybercrime Ministry of National Security

2 Objective of Presentation What is the nature of Cybersecurity and Cybercrime? Purpose of Legislation Potential Impact on business operations What should businesses do to be ready for new legislation Way forward

3 News Headlines 3

4 Adam Palmer Norton Lead Cyber Security Advisor advised that: $388 Billion is the total Bill for Cybercrime footed by online adults in 24 countries over the past year When victims value the time they have lost to Cybercrime it was estimated at over $274 Billion The direct cash cost of cybercrime Money stolen by cybercrime or spent on resolving cyber attacks is estimated at over $114 Billion

5 What is Cybersecurity? Definition of cybersecurity, referring to ITU-T X.1205, Overview of cybersecurity Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user s assets against relevant security risks in the cyber environment. The general security objectives comprise the following: Availability Integrity, which may include authenticity and non-repudiation Confidentiality

6 What is the nature of Cybercrime? OECD had recommended that Computer related crime is considered as any illegal or unethical or unauthorised behaviour relating to automatic processing and the transmission of data. Commission of European Union in 2001 described it as any crime that in some way or other involves the use of information technology. It has now been extended to include massive and coordinated attacks against the information infrastructure of a country. Transnational nature of cyberspace makes effective law enforcement difficult. Cyber-criminals defy nations sovereignty and originate attacks from almost any computer in the world

7 Difficult to define.. Often involves traditional crimes Computer used to commit a crime Child porn, threatening , assuming someone s identity, sexual harassment, defamation, spam, phishing Computer as a target of a crime Viruses, worms, industrial espionage, software piracy, hacking Content-related offences, concerning the disclosure or making available by means of a computer system of illegal content Offences related to intellectual property

8 Business Data-Hackers are Everywhere Stealing data Industrial Espionage Identity theft Defamation Deleting data for fun A lot of bored 16 year olds late at night Turning computers into zombies To commit crimes Take down networks Distribute porn Harass someone Ethical/white hat hackers exist too Help break into networks to prevent crimes Source: E-Commerce Network - Suzanne Mello - Nov

9 THE CABINET-APPOINTED INTER MINISTERIAL COMMITTEE ON CYBER SECURITY

10 ABOUT THE IMC Established by Cabinet in March 2010 Began operations in April 2011 Given a period of twenty four months to complete its mandate

11 ABOUT THE IMC: Mandate To develop a coordinated National Cyber Security Strategy and Action Plan To facilitate, guide and ensure the enactment of a national Cybercrime Act To facilitate, guide and ensure the implementation of a National Computer Security Incident Response Team (CSIRT) To establish an implementation mechanism that would have legislative authority to develop and enforce cyber security regulations To create a mechanism/framework that ensures that risk/vulnerability assessments of each Ministry s cyber infrastructure and cyber security plan are conducted regularly

12 ABOUT THE IMC: Composition Core Committee Ministry of National Security (Chair) Ministry of Science and Technology Ministry of Tertiary Education and Skills Training-University of the West Indies Ministry of Public Administration Ministry of the Attorney General Ministry of Public Utilities Ministry of Energy and Energy Affairs Ministry of Finance and the Economy National ICT Company Ltd. (igovtt)

13 ABOUT THE IMC: Composition Sub Committees: Ministry of Health Ministry of Education Ministry of Legal Affairs Ministry of Foreign Affairs Ministry of Transport Telecommunications Authority of Trinidad and Tobago

14 Structure of the IMC National Strategy Culture and International Cooperation IMC Incident Management Government/ Civil Society and Private Sector Collaboration Legal

15 Achievements Coordinated the work of a HIPCAR Consultant which resulted in the development of a Draft Cybercrime Bill Capacity building and training for government stakeholders (OAS/CICTE, HIPCAR and proposed CCI) Developed and obtained approval for National Cyber Security Strategy (December 2012) Developed and obtained approval for a National Cybercrime Policy (February 2013) Developed and obtained approval for the establishment of a Cyber Security Agency (August 2013)

16 The Cyber Crime Policy: Purpose Ensure a coherent strategy in the prevention, investigation, prosecution and sentencing of computer crime and cybercrime in Trinidad and Tobago Enable Trinidad and Tobago to participate in the international endeavour to fight against transnational computer crime and cybercrime. Inform the preparation of a legislative framework for the deterrence and prosecution of cybercrime

17 The Cyber Crime Policy: Objectives Prevention and Awareness Raising Criminalization of offences related to computer crime and cybercrime Institution of investigation mechanisms Use of electronic evidence in prosecution Creation of an environment that defines the obligations and restricts the liability of ISPs Repeal of the Computer Misuse Act (2000) and replace with the Cybercrime Act

18 Legislation covers: Illegal access to a computer system ( hacking, circumventing password protection, exploiting software loopholes etc.) Illegal interception (violating privacy of data communication) Illegal Data interference (malicious codes, viruses, trojan horses etc.) System interference (hindering the lawful use of computer systems) Misuse of devices and illegal devices (tools to commit cyber-offences) Offences affecting critical infrasturcture Computer-related forgery (similar to forgery of tangible documents) Computer-related fraud (similar to real life fraud) Identity related offences SPAM Harassment using an electronic means Child pornography Infringement of copyright and related rights

19 Cont d Expedited preservation of stored computer data Expedited preservation and partial disclosure of traffic Data Production order Search and seizure of stored computer data Real-time collection of traffic data Interception of content data Procedural safeguards

20 Public-Private Partnership GoRTT will: Identify public stakeholders responsible for initiating and developing cyber security policies and regulations; Engage both the public and private stakeholders in the process by clearly defining their roles and responsibilities; Define the appropriate incentives that allow private, public and civil society stakeholders to participate in the process (for example no costly regulations). Involve specific critical infrastructure and Internet service providers instead of allocating responsibilities to a specific sector; 21

21 Public-Private Partnership Include civil society in the implementation of the strategy from an awareness raising standpoint; Foster the development of cyber security certification programmes that will be nationally recognized and accepted by the public and private sectors; Educate the general public and small, medium and large businesses on basic cyberspace safety and security issues. Permanent Stakeholders Group (to be est. by the E.D., TTCSA): It is envisioned that this Group will create an open forum for continued dialogue on cyber security matters. It is also intended that the Group will be available for discussions regarding regulations and standards to be set by the TTCSA. 22

22 Role of Businesses Companies will be encouraged to: Sensitize employees on cyber security and cyber threats. Evaluate the security of those networks that impact the security of Trinidad and Tobago s critical infrastructure. Such evaluations would include: Conducting risk assessments and audits; Developing continuity plans which consider staff and equipment; and Participating in industry-wide information sharing and best practice dissemination. Provide sufficient opportunities for continuing education and advanced training in the workplace to maintain high skill standards and the capacity to innovate. 23

23 The New Wild Wild West More cyber criminals than cyber cops Criminals feel safe committing crimes from the privacy of their own homes Brand new challenges facing law enforcement Most not trained in the technologies Internet crimes span multiple jurisdictions Need to retrofit new crimes to existing laws Criminals exploit weaknesses in laws as well as vulnerabilities in technologies. E-Commerce Network - Suzanne Mello - Nov

24 Way forward.