© 2010 Deloitte Touche Tohmatsu

Cyber Security Roadmap

The Hague, 25 May 2011

© 2010 Deloitte Touche Tohmatsu

Security: Developing a Secure Cyberspace

2

Protecting the 5th Domain

• As with land, sea, air and space, a safe

Cyberspace is crucial for our societies.

Different Threats, Different Response

• Cyber criminals have differing

motivations…including protest, crime, espionage

or terrorism.

Non-Traditional Issues

• Affects our Economics, Politics, Psychology &

Technology.

National & Economic Security

• Response requires international coordination,

across industries and geographies.

Cyber Global Commons

• Need global dialogue resulting in an international

roadmap for Cyber.

Roadmap

• Actionable solutions for key Cyber issues by 2020.

© 2010 Deloitte Touche Tohmatsu

What is Cyber, what is Cybersecurity?

3

Cyber is:

• All around us

• Effecting virtually all

• Transport, finance,

medical, healthcare,

government, justice,

law & order, media,

education, military,

energy, industry,

culture etc.

Cybersecurity is about:

• Global Network

Threats

• National Security

• Economic Security

© 2010 Deloitte Touche Tohmatsu

The New Cyber Landscape

National & Economic Security

4

Cyber Threats…next STUXNET?

Cyber Opportunities

© 2010 Deloitte Touche Tohmatsu

The scale of Cyberspace is vast – and growing exponentially

• In 2008: 1.2 billion laptops and 3 billion

people connected to the Internet

• 2 trillion texts are sent per day worldwide

• 247 billion emails are sent per day (90%

spam)

• The U.S. is the 3rd largest country globally

with a population of 310 million people …

Facebook has more than 500 million active

users

• Currently, the most popular vector for

attacking users is through social

networking sites

• Average un-patched computer survival

time on the internet: 4 minutes

• By 2013 the Internet will be 4X larger

than in 2009

• Mobile data traffic will increase 66X

• By 2015, we expect 15 billion devices to

be connected to the Internet

5

© 2010 Deloitte Touche Tohmatsu

Cyberspace is borderless,

enforcement not

6

Some governments approach

Cyberspace as a sovereign

issue, leading to global

fragmentation

Shortage of multi-skilled

Cyber individuals creates a

discrepancy between threat

and response capability

Anonymity makes attribution

difficult

Key Cyber Issues

Lack of awareness of the

global scale of security

problem

Asymmetric problem that

make centralized response

challenging…massive attacks

able to be launched from the

desktop

Human behavior consistently

being exploited to defeat

technology-centric approach

to Cyber defense

Legislation does not keep

pace with technology change

The seams or handoffs

between networks or

organizations are vulnerable

targets

Systemic underreporting

and need for metrics

© 2010 Deloitte Touche Tohmatsu

Secure Cyber Environment: What is it?

“… everyone can live and work online with confidence and safety

• Networks seen as safe and reputable

• Intellectual property of businesses, universities and other institutions, which underpins a

knowledge economy, are better protected

• Citizens have greater confidence in public service transactionsSource: UK’s Digital Britain Report

... a secure, resilient and trusted electronic operating environment

• Citizens are aware of cyber risks, secure their computers and take steps to protect their

identities, privacy and finances online.

• Businesses operate secure and resilient information and communications technologies

to protect the integrity of their own operations and the identity and privacy of their

customers.

• Government ensures its information and communications technologies are secure and

resilient.Source: Australian Government’s cyber security policy

7

The risk-return tradeoff for cybercrime needs to be made unfavorable

© 2010 Deloitte Touche Tohmatsu

Fast Forward To 2020: We did it!

How did we get there, what did we do between now and 2020?

Questions:

Governance

How did we agree on a global coordinated approach and improve

cooperation and networks?

How did we agree on Cyber Treaties?

Legal

How did we address Cyber safe-havens (criminal, terror, etc)?

What did we do to have international bodies coordinate the necessary

steps (EU, UN, Europol, Interpol)?

Technical

How did we agree on technical standards?

Resources

How did we train enough Cyber Professionals?

Awareness

How did we create a self-financing public-private ecosystem that

works?

How did we restore confidence in cyberspace?

8

© 2010 Deloitte Touche Tohmatsu

Cyber Stakeholders: five levels

Current debate is not coordinated and focused on the middle three levels

9

United Nations

G 20

WTO

NATO

European Union

Central government

Agencies

GovCert’s

Military organizations

Healthcare organizations

Financial institutions

Citizens

Employees

Consumers

• UN Article 41 & 42

• ITU / ICANN / ISO / FIRST

•

• National Security Strategies

• NATO Article 5

• US Partner discussions

• Nation specific CERT’s

• China Internet Network

Information Center (CNNIC)

• US CYBERCOMMAND

• Australian Internet Security

Initiative

• Software developers

• Hardware developers

• Social media

Type Example

Global

Regional

National

Organizational

Individual

© 2010 Deloitte Touche Tohmatsu

Global Cyber Maturity Curve:

Collective action and milestones

Protecting cyberspace

Many governments understand that protecting cyberspace is critical to the economic and national

security of their countries. But unlike other domains of global relations, few rules govern

interactions in cyberspace.

Fast forward to 2020: A secure cyber environment

Imagine that, by the year 2020, we are operating in a secure cyber environment where the

challenges we are experiencing today have been addressed. How did we get here? What did we

do between 2010 and 2020?

This global cyber framework seeks to address some of these questions by proposing a maturity

curve model as a guide for the international community to work together better to solve cyber

security issues—such as addressing gaps in international law for pursuing criminals across

borders, sharing information, and collaborating on incident response. The framework describes

some of the steps that we believe may need to happen to develop a more secure cyberspace by

2020, addressing key areas like the following.

Governance

Governance for cyberspace includes global rules, treaties and protocols, similar to those in place

for national defense, trade, and human rights.

Legal

Much cyber crime is transnational, and fighting it may require an international legal framework.

Technical

The rapid introduction of new technologies and increasing interdependencies across technologies,

networks and applications underscores the need for tightening security for new technologies and

establishing worldwide standards for security. Many organizations (commercial and government)

may disagree.

Resources

The technology and managerial expertise of the workforce—including specialists who can address

diverse issues including legal, intellectual property, and diplomatic challenges—and the ―pipeline‖

of potential new talent will need to be increased, particularly with highly technical skill sets. In

addition, information sharing and research and development resources will need to be put into

place – and funded.

Awareness

Cyber security cannot be achieved through technology alone; it requires a cultural understanding

and a widespread willingness to demonstrate secure behaviors consistently.

Governance Legal Technical Resources Awareness

Global &

Regional

Organizatio

ns

• Establish a coordinating agency

• Develop an international policy

framework

• Coordinate international approach and

efforts on deterrence and incident

response

• Define global and regional

responsibilities and alignment

• Formulate a structure to enforce cyber

laws

• Define normative action in cyberspace

• Establish proactive and preemptive

cyber practices and protocols

• Address the privacy issues associated

with attribution

• Develop and establish technical

standards and guidelines for secure

products

• Form public-private partnerships

• Address the technical issues

associated with attribution

• Set qualification standards for cyber

security professionals

• Make funding arrangements

• Stimulate exchange of information

• Build commitment

• Promote development of capacities

• Sponsor cyber security programs

National

Governmen

ts

• Appoint a national coordinator and

prepare a strategy

• Incent (critical) industry security

• Enforce information sharing on

incidents

• Reexamine statutes governing

investigations

• Designate a privacy and liberties

official

• Create legal standards for securing

critical cyber infrastructure

• Improve market incentives for secure

and resilient hardware and software

products

• Establish standard certification metrics

• Incorporate education programs from

early education on to expand and train

workforce

• Expand on research and development

programs

• Conduct initiatives to attract people to

cyber security as a career

• Initiate public awareness and education

program for children, adults, elderly,

and others

• Initiate national helpdesk for companies

• Stimulate research and development

Private

sector &

industry

• Establish consultative structure to

agree on sector/industry standards

• Sector/industry agrees on legal

standards for services and products

• Sector/industry agree on security

standards for cyber security products

• Participate in national initiatives

• Retool existing workforce

• Stimulate industries to educate the

workforce, particularly in critical sectors

Attention areas

Governance

Legal

Technical

Resources

Awareness

Specialized

Ca

pa

bil

itie

s a

nd

att

rib

ute

s

governing body established to act as a coordinating authority on international cyber security

Supranational legal structure in place to enforce cyber security (by-) laws

anonymity and

attribution are defined,

harmonized and

implemented

Certification of resilient

systems defined for

key global

infrastructure

National awareness

program to educate

individuals from

childhood and

onward

Standardized education and specialized credentialing in place for cyber security specialists and workers

Coordination between

global response

centers for coordinated

response, exercises

and predictive research

Global workshops on

cyber policy,

economics and

technology

Leverage existing

global bodies for cyber

agenda setting

International cyber tribunal established

International protocol

for pre-coordinated

response across

industry / geography

for cyber security

incidents

Self-financing eco-system created to enhance public-private information sharing and cooperation

Enhanced standards

and guidelines for

built-in security,

including consumer

products

Normalized reporting

processes on cyber

attacks and

consequences

across public and

private sectors

Designation of critical

infrastructure, cyber

security coordinator

and national protection

plans

Specialized cyber

offices and liaisons

established at key

international

institutions

Member states

implementation of

national cyber

security strategy

International-accepted framework for normative action in cyber space and protocol for harmonized security and privacy

Military forces operate in accordance to defined cyber laws for deterrence and response

regulations to

determine common

principles

Legal reviews

of country laws &

Global law

―safe havens‖

enforcement

and intelligence

cooperation to

interdict cyber criminal

Global construct for

Global cyber fusion

center(s) share data

across commercial,

government and law

enforcement to

support predictive

analytics and

response

Level 1 Level 2 Level 3 Level 4 Level 5

‘1

9

‘1

2

‘1

3

‘1

5

‘1

7

‘2

0

© 2010 Deloitte Touche Tohmatsu

Key governance recommendations for a Cyber secure world

11

• Establish a coordinating agency

(World Cyber Organization?)

• Develop international policy

framework

• Coordinate international

approach and efforts on

deterrence and incident

response

• Define global and regional

responsibilities and alignment

• Appoint a national coordinator

and prepare a strategy

• Incent (critical) industry security

• Enforce information sharing on

incidents

• Establish consultative structure

to agree on sector / industry

standards

Level 5

Level 5

Level 1

2020

Governance

Legal

Technology

Resources

Awareness

Level 4

Level 2

Level 2

Level 3

Level 4

Global /

Regional

National

Organizational

Individual

2010

© 2010 Deloitte Touche Tohmatsu

Key legal recommendations for a Cyber secure world

12

• Formulate a structure to enforce

Cyber laws

• Define normative behavior in

Cyberspace

• Establish proactive and

preemptive cyber practices and

protocols

• Address the privacy issues

associated with attribution

• Reexamine statutes governing

investigations

• Designate a privacy and

liberties official

• Create legal standards for

securing critical Cyber

infrastructure

Level 1

Level 3

Level 1

Level 2

Level 3

Level 4

• Sector / Industry agrees on

legal standards for services /

product

Global / Regional

National

Organizational

Individual

2010

Governance

Legal

Technology

Resources

Awareness

2020

Level 2

Level 4

© 2010 Deloitte Touche Tohmatsu

Key technical recommendations for a Cyber secure world

13

• Develop and establish

technical standards and

guidelines for secure products

• Form public-private

partnerships

• Address the technical issues

associated with attribution

• Improve market incentives for

secure and resilient hardware

and software products

• Establish standard certification

metrics

• Sector / industry agree on

security standards for cyber

security products

• ISPs play active role in solving

spam and botnet issues

• Coordinate security around

seams and handoffs

Level 1

Level 2

Governance

Legal

Technology

Resources

Awareness

Level 1

Level 2

Level 1

Global / Regional

National

Organizational

Individual

2010

2020

Level 2

Level 1

Level 1

© 2010 Deloitte Touche Tohmatsu

Key resource recommendations for a Cyber secure world

14

• Incorporate education

programs to expand and train

workforce

• Expand on research and

development programs

• Participate in national

initiatives

• Retool existing workforce

Level 1

Level 2

Governance

Legal

Technology

Resources

Awareness

Level 2

Level 1

• Set qualification standards for

cyber security professionals

• Make finance arrangements

• Stimulate exchange of

information Level 3Global / Regional

National

Organizational

Individual

2010

2020

Level 1

Level 1

© 2010 Deloitte Touche Tohmatsu

Key awareness recommendations for a Cyber secure world

15

• Build commitment

• Promote development of

capacities

• Sponsor cyber security

programs

• Initiate public awareness and

education program for

children, adults, elderly, etc.

• Initiate national helpdesk for

companies

• Stimulate research and

development

• Stimulate industries to

educate the workforce,

particularly critical sectors

• Know the rules of the road

Level 1

Level 2

Governance

Legal

Technology

Resources

Awareness

Level 1

Level 2

Level 1

Level 3

Level 2

Global / Regional

National

Organizational

Individual

2010

2020

Level 1

© 2010 Deloitte Touche Tohmatsu

A holistic approach is required to address the

cybersecurity challenges

16

Governance

Compliance

Ethics

Intra-

government

Coordination

Laws &

Regulations

Reporting

Mission

Judicial

Legislative

Program / PMO

Programs &

Services

Programs &

Services

Development

Mission

Support

Acquisition

Assets

Finance

Human

Resources

Information

Technology

Public Relations

&

Communications

Strategy &

Planning

Enterprise Risk

Management

Operational

Planning

Performance

Management

Strategy, Policy

& Planning

© 2010 Deloitte Touche Tohmatsu