Embed Size (px)
DESCRIPTION
Three Principal Component areas of a Partnership Framework Institutional Policy Legislation Regulation Enforcement Technical Accreditation Certification Testing Labs Standards Operational Mutual Recognition Agreements Geneva, Switzerland, September
Citation preview
Geneva, Switzerland, 15-16 September 2014
Towards a partnership-based framework for secure ICT
Infrastructure in developing countriesBill McCrum
Senior Director, Telecom Consulting [email protected]
ITU Workshop on “ICT Security Standardizationfor Developing Countries”
(Geneva, Switzerland, 15-16 September 2014)
CONTENTS
OverviewPolicy and LegislationRegulation and EnforcementInfrastructure Challenges in Developing CountriesEconomic Impacts of Insecure ICTsUnique Role of ITU-TMutual Recognition Agreements (MRAs)Conclusion and Recommendations
Geneva, Switzerland, 15-16 September 2014 2
Three Principal Component areas of a Partnership Framework
Institutional Policy Legislation Regulation Enforcement
Technical Accreditation Certification Testing Labs Standards
Operational Mutual Recognition Agreements
Geneva, Switzerland, 15-16 September 2014 3
OVERVIEW
Many governments have proposed and are enacting policies, legislation, regulations & strategies to secure their ICT infrastructureA partnership framework for policy, legal, regulatory and enforcement is highly desirableToday’s global ICT infrastructure is highly interdependent but with a wide variety of system suppliers and incompatible equipmentMany organizations setting standards in ICT security – cooperative framework can helpNew frameworks needed to include all aspects from standards to compliance and best practices.
Geneva, Switzerland, 15-16 September 2014 4
Small Sample of the Problem
Hacking attacks on State entities according to a major Asian country report, now estimated at one every 30 secondsSame scale of attacks are now commonplace in most developed countries affecting State, Business and Personal activitiesYahoo quote: “there are only two types of companies: the ones that have been attacked, and the ones that just don’t know it yet” “Intrusion Prevention” company reports that 100% of large Corporations investigated had active commercial espionage infections
Geneva, Switzerland, 15-16 September 2014 5
Framework Policy Component
Policies that recognize reliance on the interconnectedness of a secure global digital infrastructure for prosperityA policy of regional and global engagement on a common cybersecurity framework as an essential step in the processInteroperability identified as a top policy challenge especially in developing countriesCommitment to globally accepted standards as a key policy for achievement of connectivity
Geneva, Switzerland, 15-16 September 2014 6
Framework Legislative ComponentA targeted legal framework needed to prosecute offenders in e-fraud and ICT infrastructure attacks with global reachAppropriate legislation to deal with electronic offenders at all levels with a long reachPressure groups are being formed to lobby legislative assemblies for speedy legal remediesNew legislation is envisaged that would require mandated disclosure of all security incidents and fraud losses to appropriate authoritiesNew USA Cybersecurity Information Sharing Act launched in past few weeks
Geneva, Switzerland, 15-16 September 2014 7
Framework Regulatory ComponentRegulator’s interest spiked by increasingly costly and sophisticated cyber attacks ($100’s of Millns)Renewed interest by governments to audit cyber security defenses of corporations and financial institutions within a defined frameworkAudits should be done against defined standards, laws and regulations with global collaborationBasic principles of fair notice and due process must be respected in all jurisdictionsDefensive and remedial actions against hackers must not be held hostage to partisan political agendas
Geneva, Switzerland, 15-16 September 2014 8
Framework Enforcement Component
Laws and regulations are struggling to keep pace with the volume and sophistication of attacksEnforcement must be carried out in keeping with laws, regulations and standards within an agreed frameworkMany countries have laws but no enforcementOthers have enforcement but inadequate lawsExpect enforcement agencies to increasingly hold parties responsible for the unlawful release or failure to protect sensitive informationEnforcement must have global reach and be based on trusted credentials across borders
Geneva, Switzerland, 15-16 September 2014 9
ICT Infrastructure Challenges in Developing Countries
Surveys conducted by the ITU in 2011 and 2013 identified a wide range of conformance and interoperability problems in developing countries.Prominent findings in common: Incompatibility of new equipment with legacy equipment
even among equipment of same supplier – pass through services, including security, reduced to lowest common denominator
No national conformity assessment capabilities Non-standard proprietary interface specifications and no
commitment to international standards Inadequate financial resources and expertise in country Susceptibility to malicious and opportunistic economic
cybercrime
Geneva, Switzerland, 15-16 September 2014 10
Economic Impacts of Insecure ICT Infrastructure
Significant delays in deployment of new services such as e-health, e-education, e-financial services, e-government, social networkingDelayed full participation in the 21st century digital worldResult is reduced economic growth, lost opportunity and lower standards of livingConcerns with QoS, security and trust in ICT infrastructure and servicesProblems with counterfeit products and dumpingNeed for institutional reforms at many levels
Geneva, Switzerland, 15-16 September 2014 11
Unique Role of ITUThe ITU-T standards development process accommodates input from every Member State of the United Nations on an equal footingThis is especially important to developing countries which often cannot afford to send large delegations to standards development bodies to promote their viewpointsThe ITU Bureaux offer developing countries:
Inclusion – a voice in the standards process Training and mentoring - access to expertise Coordination and trusted brokering of
partnerships amongst Member States for support, assistance and sharing of resources
Geneva, Switzerland, 15-16 September 2014 12
Operational Component of Framework “Mutual Recognition Agreements”
Establishment and maintenance of a secure ICT infrastructure requires the following facilities: Testing Labs, Certification and Accreditation Bodies -
services potentially shared among multiple countries Capability of assessing conformity to security standards
and other standards for interoperability and regulatory compliance
MRAs can provide trusted sharing of such facilities among multiple partners based on trusted credentials
Legal and Regulatory instruments need to be in place to permit the trusted sharing required
Countries within a region sharing cultural, social and economic goals can find MRAs a very useful tool
Geneva, Switzerland, 15-16 September 2014 13
Conclusions and Recommendations
A secure ICT infrastructure is essential to economic prosperity and growthThe 3 components of a partnership framework presented here must move towards convergence of principles globally to make this happenMRAs can provide a trusted partnership framework to facilitate the discussions of like-minded parties in ICT infrastructure securityMRAs are now a well established instrument of cooperation and collaboration across sovereign boundaries and can be recommended for this challenge – and the ITU can help.
Geneva, Switzerland, 15-16 September 2014 14
