Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
International Telecommunication Union
Towards a Multi-stakeholder initiative to develop and improve national
cybersecurity strategies
2
National Cybersecurity Strategies - WHAT• Policy document, Strategy document, Action Plan • Process for review and enhancement• Standalone document or embedded in other
strategies …• Actionable, Sustainable• A public document or not …• Currently over 72 countries have published National
Cybersecurity Strategies• The oldest was issued in 2004 and the latest in 2015..
Some repositories are • ITU http://www.itu.int/en/ITU-
D/Cybersecurity/Pages/National-Strategies-repository.aspx
• ENISAhttps://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/national-cyber-security-strategies-in-the-world
• NATO CCDCOE https://ccdcoe.org/strategies-policies.html
Source: ITU
3
National Cybersecurity Strategies - WHY
• Brings into being the route to building public confidence and trust in the use of ICTs through a coordinated multi-sector response driven by the relevant national agency
• Becomes a necessity as • ICT usage in the country increase• Cyber-attacks proliferates locally and regionally • A wake up call through an attack on a critical (information) infrastructure• Country is identified as a vector for cyber-attacks• Alignment with regional and international principles, resolutions, agreements..
• To leapfrog in Cybersecurity development as part of a bigger socio-economic strategy• Indicates Government commitment to enhancement of Cybersecurity• Justifies the funding and other resources needed to enhance Cybersecurity
There are other valid reasons..
4
National Cybersecurity Strategies - HOW
• Have a champion leading the work and ensuring that deliverable will move into implementation phase
• Set up a dedicated local team with the relevant representation and expertise• Contract Consultancy / Expert services / bi-laterals with nations having expertise in NCS
elaboration• Use existing models, tools and resources • Identify the appropriate resources … how do nations do that ??
• Let’s reduce the Confusion & Overlaps and create effective SYNERGIES
And there are more great resources…
2011 2012 2013 2013 2014
5
All project partners contribute their knowledge and expertise in the National Cyber Security domain, thereby providing a high added value to the toolkit definition
15 Partners who have been active in devising models and implementing cybersecurity strategies
ENISA
Comprehensive and not exhaustive …
Devise tools, guidelines, principles, checklists…Implement National Cybersecurity StrategiesProvide funding for National Cybersecurity Strategies development / implementations
Co-authored Multi-stakeholder approach
6
The role, objectives and scope of a National Cyber Security Strategy in a line with the UN SDGs
The definition/publication/review process: the Governance Model
National and International Standards and government compliance program
Critical Infrastructure Protection and integration with other national security/emergency programs
National Risk Management program
Implementation strategies for the Government
National Incident Response/CERT -integration/alignment with Military/Intelligence
Implementation strategies for Private Sector
The definition/publication/review process: the Awareness Programme
Aspects not typically covered by public strategies that should be considered and addressed
A single resource for any country to gain a clear understanding of National Cyber Security Strategy in terms of:– the purpose and content– how to go about developing a strategy,
including strategic areas and capabilities– the relevant models and resources available– the assistance available from various
organisations and their contact details
FORMAT: 15-20 page Word / PDF
NCS Guide
A simple tool that allows national governments and stakeholders to:– Evaluate their current status in each of the
strategic areas identified in the reference guide– Evaluate their current status in cyber security
lifecycle management– Easily identify key areas for improvement– Provide a means for measuring improvements
over time
FORMAT: Excel or web-based worksheet
Support Tool
Examples of Topics To Be Addressed Components of Toolkit
Let’s create a toolkit to help nations to develop or improve their national cyber security strategies
7
Source: ITU / Intellium preliminary analysis
GEOGRAPHICFOCUS
Global:Designed for use in all countries
Regional:Tailored for use in a specific region / political alliance
Which countries / regional areas the
model / tool focuses on
TARGET STRATEGY APPLICABILITY
New:Provides guidance in developing a new strategy
Existing:Helps to evaluate existing strategies
Designed to define a strategy or to evaluate
an existing strategy
AREAS OF IMPROVEMENT
Identify:Identifies improvement areas
Address:Provides solutions for improvement areas
Helps to identify areas of improvement and how to address them
LINKAGE/REFERENCETO OTHER MODELS
Global:Refers to globally focused models
Regional:Refers to regionally focused models
Establishes links to existing guidelines
/references
DESIGNED FOR ASSESSING
IMPROVEMENTS
Indicators:Good practice indicators for each component of the strategy that can be measured repeatedly over time
Includes functionality for measuring
improvements over time
1 2 3 4 5
DEFINITION
PARAMETER
Five key elements considered when designing the toolkit
8
First Partner’s Workshop – Feb 2016@ITU HQ Geneva
• Agreement on approach for a toolkit with a Reference Guide and an Evaluation component• Agreement on overall structure of Reference Guide
• Life cycle management process – PDCA adaptation• Horizontal cross cutting principles e.g. coordination, HR fundamental values, Responsibility
& Accountability• 8 Strategic Areas : National Cybersecurity Governance, National Cybersecurity Framework,
Critical infrastructure protection, National Incident Response, Capability Development, National Awareness & Workforce building, Legal frameworks, International Collaboration
• Good Practice for each Strategic area
9
Sample Strategic Area & GPI
WORK IN PROGRESS
STRATEGIC AREA 4 – NATIONAL INCIDENT RESPONSE
Description: detection of and response to cyber incidents of national interest in a coherent
manner with continuous improvement of response capabilities and coordination
GPIs:
4.1 Define what should be considered a
national-level cyber security incident
according to Impact-based guidelines
4.2 A national CERT (Computer
Emergency Readiness Team)
coordinates relevant stakeholders at
national / regional /international level in
both public and private sectors across
the complete incident response
lifecycle including preparation,
prevention, response, and recovery
4.3 Requirements for Government
agencies and Critical Infrastructure
operators shall be defined
(establishment of CERTs, Point of
Contacts, Incident/breach notification,
etc.)
4.4 Established contingency plans outline
principles and guidelines for actions to
be taken by relevant stakeholders in
the event of a national cyber security
incident.
4.5 Cybersecurity exercises are conducted
at the national level and relevant
stakeholders participate in exercises,
at the national and/or
regional/international level (through
coordination with the national
CIRT/CERT/CSIRT) to evaluate and
Reference to existing guidelines:
ITU, National Cybersecurity Strategy
Guide, sections: 11.3, 17.3
GCSCC, Cyber Security Capability
Maturity Model, section: Dimension 1-2
CTO, Commonwealth Approach for
Developing National Cyber Security
Strategies, section: 4.7.5
MS, Developing a National Strategy for
Cybersecurity, section: Building Incident
Response Capabilities
ENISA, Guidebook on National Cyber
Security Strategies, section: 3.6, 3.7,
3.10, 3.14
OECD, Digital Security Risk
Management for Economic and Social
Prosperity, section: 2-B
Handbook for Computer Security
Incident Response Teams (CSIRTs),
2nd Edition, April 2003,
NATO CCD COE, National Cyber
Security Guidelines, Guidelines, section:
3.3
Potomac Institute for Policy Studies,
Cyber Readiness Index, section 2
10
Second Partner’s Workshop – June 2016@Oxford University, UK
• Refined the NCS Guide and developed the Support tool’s specifications• Presentations of relevant tools being worked on by World Bank and Rand Europe• Agreement on
• Processes for NCS development• Review of NCS Guide • Additions to Support Tool• Next workshop host and venue
11
Proposed Next Steps
• Partners review and ITU harmonization cycles until early October 2016• Third Partner’s workshop in mid October in Washington DC hosted by OAS• Pilots as from December 2016 • Regular information sharing among partners : new version of products, implementation sites,
feedback, events, … • Annual partners meeting and tool review every 2 years ..
12
Ultimate aim
• Facilitate approach of Member States towards elaborating, reviewing and evaluating their National Cybersecurity Strategies
• Harmonise efforts of all stakeholders who devise tools, guidelines, checklists and more
• Optimise use of resources in enhancement of the tools based on technology changes, lessons learnt and more
• Information sharing for effective, sustainable National Cybersecurity Strategies – a commitment from Government