Capacity Building in Cyberspace Security

Capacity Building in Cyberspace Security Muhammad Amir Malik Member (IT), Government of Pakistan amir@moitt.gov.pk

Sequence of Presentation Country Profile of Pakistan ICT Profile of Pakistan Cyberspace Vs Cyber Security Capacity Building in Cyberspace Current Cyber Security Status and Issues Cyber Security Incidents in Pakistan Recommendations

Area - 796,096 sq km Population - 184.7 Million GDP Growth Rate - 2.4% GDP / Capita US$ - 1,254

Teledensity Comparison 2004 Total Population: 152.5 Million Mobile Phone subscribers: 5 Million (3.3%) 2012 Fixed Line subscribers: 4.5 Million (2.9%) WLL subscribers: --- Broadband subscribers: --- Total Population: 184.7 Million Mobile Phone subscribers: 118 Million (65.2%) PC Internet Users: 22.2 Million (12%) Mobile Internet Users: 15.7 Million (9%) Broadband subscribers: 2 Million (1%) Fixed Line subscribers: 3. 1 Million (1.9%) WLL subscribers: 2.7 Million (1.7%)

Total Teledensity

Teledensity Subscribers 2.24% 3.4 12.3% 18.3 Telecommunication Services 87.7% 76.8% 174.5 150.4 58.9% 93.6 64.0% 105.3

Broadband in Future 19.5 12.0 2 0.2 Expanding Access Promoting Local Content Delivering Public Service Areas over Broadband

Cyberspace vs Cyber Security Cyberspace is the electronic medium of computer networks, in which online communication takes place. Cyber security is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, the term security implies cyber security.

Capacity Building Also referred to as capacity development, is a conceptual approach to development that focuses on understanding the obstacles that inhibit people, governments, international organizations and non-governmental organizations from realizing their developmental goals while enhancing the abilities that will allow them to achieve measurable and sustainable results.

Capacity Building in Cyberspace Security People are the weakest link, hence, Capacity building needs to be promoted in order to develop a sustainable and proactive culture of cyber security.

Pakistan: Current Cyber Security Status Legal Framework: Government of Pakistan has issued three laws to deal with cyber crimes/cyber security issues: Pakistan Telecommunication Re-Organization Act 1996 Electronic Transaction Ordinance 2002 Prevention of Electronic Crime Ordinance 2009 Regulatory Framework: Pakistan Telecommunication Authority (PTA) and State Bank of Pakistan have issued regulations to prevent threatening messages (SMS)/calls and reduce information security risks in banking sector particularly Mobile or Branchless Banking respectively. 11

Current Cyber Security Status Institutional Capacities: Government of Pakistan has taken steps to reduce information risks and deterring such incidents with aid of followings: Established National Response Centre for Cyber Crimes (NR3C) as a specialized wing of Federal Investigation Agency (FIA) to prevent cyber crimes and enforce laws dealing with cyber crimes. Established Cyber warfare unit in Pakistan Air Force. Established National Telecom Information Security Board (NTISB) for enforcement of National Internet and Email Policy. 12

Current Cyber Security Status Human Capacities: Government of Pakistan has taken steps to reduce required human capacity gaps both on academic and professional fronts as under: Two Pakistani Universities i.e. NUST and CASE are offering PhD degrees in Information Security. Pakistan Computer Bureau (PCB), National Response Centre for Cyber Crimes (NR3C), NTISB and Pakistan Science Foundation are imparting professional trainings, conducting workshops and seminars in the area of Information Security to bridge the gap of requisite skills. 13

Current Cyber Security Status Human Capacities: NR3C Capacity building progress in the area of cyber security is shown in the following graph. Capacity Building by NR3C No. of Awareness Programs No. of Attendees 5390 1627 1660 3 61 29 31 4 147 119 2008 2007 2009 2008 2010 2009 2010 2011 2012 2011 14

Cyber Security Incidents in Pakistan Defacement of Government official websites (2008-2012) Total successful hacking / defacement attempts with government official web sites during 2008-2012 have reached to 194. Year Total No s 2012 47 2011 43 2010 45 2009 34 2008 25 Total Defacements 194

Cyber Security Incidents in Pakistan Total successful hacking / defacement attempts with government official web sites during 2005-2012 have reached to 294 2643 Complaints received from August 2007 to August, 2012 1772 Enquiries Registered from August 2007 to August, 2012 375 Cases Registered against cyber criminals from August, 2007 to August, 2012 262 Cyber criminals arrested from August, 2007 to 31st August, 2012 16

Current Cyber Security Status Policy Environment: Government of Pakistan has drafted/approved following polices:- National IT Security Policy for Government Departments is at final stage of approval by Government of Pakistan. National Internet and Email policy approved in 2005, is in place. The policy has been revised with major improvements, which is expected to be approved shortly. 17

Cyber security Issues Revision of Policies, Legal and Regulatory frameworks Governance, Roles and Responsibilities Availability and distribution of financial resources Availability of technical resources (Cyberspace Security Specialists) Development of cyber culture (Creating awareness at different levels e.g., Government, Business and general public and setting priority) Lack of Capacity Building of Educational Institutions Technical Capabilities and R&D (Proactive approach e.g., Research and Development for new threats and handling with threats to minimize the loss) International Engagement & Partnership

Recommendation This Forum may establish a Technical Level Working Group in order to develop a database of threats and their possible remedial actions. All the members countries of the Asia Pacific Region will share the database. If possible come-up the common cyber security definitions. There is wider gap in human/institutional capacity building in developed and developing countries of the Asia Pacific Region. ARF may consider raising of a fund through voluntary donations for enhancing human/institutional capacity building in poor/under-developed countries. There is wider gap in experience sharing, knowledge sharing and transfer of technology between Asia-Pacific regional countries, which needs to be bridged/narrowed down. Funded Scholarships for developing countries government officers serving in information security domain may be granted. 19

Recommendation Government of Korea may share experiences of cyber security Capacity Building Program already introduced by Korean Communication Commission with countries like Pakistan. Other countries may also share their experiences with Pakistan This Forum may introduced Distance Learning tools using Video Conferencing Technology in all Asia-Pacific regional countries to share experiences of cyber security and to discuss the remedial actions to cater for the cyber security threats to be faced from time to time. This Forum may also seek nominations for Point of Contact (PoC) from Asia Pacific Regional countries in order to liaison with each other on cyber security issues/initiatives. 20

Thank you