15
Geneva, Switzerland, 15-16 September 2014 Towards a partnership-based framework for secure ICT Infrastructure in developing countries Bill McCrum Senior Director, Telecom Consulting [email protected] ITU Workshop on “ICT Security Standardization for Developing Countries” (Geneva, Switzerland, 15-16 September 2014)

Geneva, Switzerland, 15-16 September 2014 Towards a partnership-based framework for secure ICT Infrastructure in developing countries Bill McCrum Senior

Embed Size (px)

DESCRIPTION

Three Principal Component areas of a Partnership Framework Institutional  Policy  Legislation  Regulation  Enforcement Technical  Accreditation  Certification  Testing Labs  Standards Operational  Mutual Recognition Agreements Geneva, Switzerland, September

Citation preview

Page 1: Geneva, Switzerland, 15-16 September 2014 Towards a partnership-based framework for secure ICT Infrastructure in developing countries Bill McCrum Senior

Geneva, Switzerland, 15-16 September 2014

Towards a partnership-based framework for secure ICT

Infrastructure in developing countriesBill McCrum

Senior Director, Telecom Consulting [email protected]

ITU Workshop on “ICT Security Standardizationfor Developing Countries”

(Geneva, Switzerland, 15-16 September 2014)

Page 2: Geneva, Switzerland, 15-16 September 2014 Towards a partnership-based framework for secure ICT Infrastructure in developing countries Bill McCrum Senior

CONTENTS

OverviewPolicy and LegislationRegulation and EnforcementInfrastructure Challenges in Developing CountriesEconomic Impacts of Insecure ICTsUnique Role of ITU-TMutual Recognition Agreements (MRAs)Conclusion and Recommendations

Geneva, Switzerland, 15-16 September 2014 2

Page 3: Geneva, Switzerland, 15-16 September 2014 Towards a partnership-based framework for secure ICT Infrastructure in developing countries Bill McCrum Senior

Three Principal Component areas of a Partnership Framework

Institutional Policy Legislation Regulation Enforcement

Technical Accreditation Certification Testing Labs Standards

Operational Mutual Recognition Agreements

Geneva, Switzerland, 15-16 September 2014 3

Page 4: Geneva, Switzerland, 15-16 September 2014 Towards a partnership-based framework for secure ICT Infrastructure in developing countries Bill McCrum Senior

OVERVIEW

Many governments have proposed and are enacting policies, legislation, regulations & strategies to secure their ICT infrastructureA partnership framework for policy, legal, regulatory and enforcement is highly desirableToday’s global ICT infrastructure is highly interdependent but with a wide variety of system suppliers and incompatible equipmentMany organizations setting standards in ICT security – cooperative framework can helpNew frameworks needed to include all aspects from standards to compliance and best practices.

Geneva, Switzerland, 15-16 September 2014 4

Page 5: Geneva, Switzerland, 15-16 September 2014 Towards a partnership-based framework for secure ICT Infrastructure in developing countries Bill McCrum Senior

Small Sample of the Problem

Hacking attacks on State entities according to a major Asian country report, now estimated at one every 30 secondsSame scale of attacks are now commonplace in most developed countries affecting State, Business and Personal activitiesYahoo quote: “there are only two types of companies: the ones that have been attacked, and the ones that just don’t know it yet” “Intrusion Prevention” company reports that 100% of large Corporations investigated had active commercial espionage infections

Geneva, Switzerland, 15-16 September 2014 5

Page 6: Geneva, Switzerland, 15-16 September 2014 Towards a partnership-based framework for secure ICT Infrastructure in developing countries Bill McCrum Senior

Framework Policy Component

Policies that recognize reliance on the interconnectedness of a secure global digital infrastructure for prosperityA policy of regional and global engagement on a common cybersecurity framework as an essential step in the processInteroperability identified as a top policy challenge especially in developing countriesCommitment to globally accepted standards as a key policy for achievement of connectivity

Geneva, Switzerland, 15-16 September 2014 6

Page 7: Geneva, Switzerland, 15-16 September 2014 Towards a partnership-based framework for secure ICT Infrastructure in developing countries Bill McCrum Senior

Framework Legislative ComponentA targeted legal framework needed to prosecute offenders in e-fraud and ICT infrastructure attacks with global reachAppropriate legislation to deal with electronic offenders at all levels with a long reachPressure groups are being formed to lobby legislative assemblies for speedy legal remediesNew legislation is envisaged that would require mandated disclosure of all security incidents and fraud losses to appropriate authoritiesNew USA Cybersecurity Information Sharing Act launched in past few weeks

Geneva, Switzerland, 15-16 September 2014 7

Page 8: Geneva, Switzerland, 15-16 September 2014 Towards a partnership-based framework for secure ICT Infrastructure in developing countries Bill McCrum Senior

Framework Regulatory ComponentRegulator’s interest spiked by increasingly costly and sophisticated cyber attacks ($100’s of Millns)Renewed interest by governments to audit cyber security defenses of corporations and financial institutions within a defined frameworkAudits should be done against defined standards, laws and regulations with global collaborationBasic principles of fair notice and due process must be respected in all jurisdictionsDefensive and remedial actions against hackers must not be held hostage to partisan political agendas

Geneva, Switzerland, 15-16 September 2014 8

Page 9: Geneva, Switzerland, 15-16 September 2014 Towards a partnership-based framework for secure ICT Infrastructure in developing countries Bill McCrum Senior

Framework Enforcement Component

Laws and regulations are struggling to keep pace with the volume and sophistication of attacksEnforcement must be carried out in keeping with laws, regulations and standards within an agreed frameworkMany countries have laws but no enforcementOthers have enforcement but inadequate lawsExpect enforcement agencies to increasingly hold parties responsible for the unlawful release or failure to protect sensitive informationEnforcement must have global reach and be based on trusted credentials across borders

Geneva, Switzerland, 15-16 September 2014 9

Page 10: Geneva, Switzerland, 15-16 September 2014 Towards a partnership-based framework for secure ICT Infrastructure in developing countries Bill McCrum Senior

ICT Infrastructure Challenges in Developing Countries

Surveys conducted by the ITU in 2011 and 2013 identified a wide range of conformance and interoperability problems in developing countries.Prominent findings in common: Incompatibility of new equipment with legacy equipment

even among equipment of same supplier – pass through services, including security, reduced to lowest common denominator

No national conformity assessment capabilities Non-standard proprietary interface specifications and no

commitment to international standards Inadequate financial resources and expertise in country Susceptibility to malicious and opportunistic economic

cybercrime

Geneva, Switzerland, 15-16 September 2014 10

Page 11: Geneva, Switzerland, 15-16 September 2014 Towards a partnership-based framework for secure ICT Infrastructure in developing countries Bill McCrum Senior

Economic Impacts of Insecure ICT Infrastructure

Significant delays in deployment of new services such as e-health, e-education, e-financial services, e-government, social networkingDelayed full participation in the 21st century digital worldResult is reduced economic growth, lost opportunity and lower standards of livingConcerns with QoS, security and trust in ICT infrastructure and servicesProblems with counterfeit products and dumpingNeed for institutional reforms at many levels

Geneva, Switzerland, 15-16 September 2014 11

Page 12: Geneva, Switzerland, 15-16 September 2014 Towards a partnership-based framework for secure ICT Infrastructure in developing countries Bill McCrum Senior

Unique Role of ITUThe ITU-T standards development process accommodates input from every Member State of the United Nations on an equal footingThis is especially important to developing countries which often cannot afford to send large delegations to standards development bodies to promote their viewpointsThe ITU Bureaux offer developing countries:

Inclusion – a voice in the standards process Training and mentoring - access to expertise Coordination and trusted brokering of

partnerships amongst Member States for support, assistance and sharing of resources

Geneva, Switzerland, 15-16 September 2014 12

Page 13: Geneva, Switzerland, 15-16 September 2014 Towards a partnership-based framework for secure ICT Infrastructure in developing countries Bill McCrum Senior

Operational Component of Framework “Mutual Recognition Agreements”

Establishment and maintenance of a secure ICT infrastructure requires the following facilities: Testing Labs, Certification and Accreditation Bodies -

services potentially shared among multiple countries Capability of assessing conformity to security standards

and other standards for interoperability and regulatory compliance

MRAs can provide trusted sharing of such facilities among multiple partners based on trusted credentials

Legal and Regulatory instruments need to be in place to permit the trusted sharing required

Countries within a region sharing cultural, social and economic goals can find MRAs a very useful tool

Geneva, Switzerland, 15-16 September 2014 13

Page 14: Geneva, Switzerland, 15-16 September 2014 Towards a partnership-based framework for secure ICT Infrastructure in developing countries Bill McCrum Senior

Conclusions and Recommendations

A secure ICT infrastructure is essential to economic prosperity and growthThe 3 components of a partnership framework presented here must move towards convergence of principles globally to make this happenMRAs can provide a trusted partnership framework to facilitate the discussions of like-minded parties in ICT infrastructure securityMRAs are now a well established instrument of cooperation and collaboration across sovereign boundaries and can be recommended for this challenge – and the ITU can help.

Geneva, Switzerland, 15-16 September 2014 14

Page 15: Geneva, Switzerland, 15-16 September 2014 Towards a partnership-based framework for secure ICT Infrastructure in developing countries Bill McCrum Senior

Geneva, Switzerland, 15-16 September 2014 15

THANK YOU FOR YOUR ATTENTION

[email protected]