why government & corporate cyber programmes are failing

InternationalTelecommunicationUnion

Why Government & Corporate Cyber Programmes are failing

Trivandrum, Kerala, India, 3-4 August 2012

Dr. Frederick Wamala, CISSP®

© Dr. Frederick Wamala, CISSP®

Disclaimer – One for the Lawyers

2

Opinions expressed here are mine. The view I express do not necessarily reflect those of any past or present employers and/or associates.

All trademarks are the properties of theirrespective owners.

© Dr. Frederick Wamala, CISSP®

Quotation – Cybercrime “In fact, in my opinion,

it's the greatest transfer of wealth in history ... McAfee estimates that $1 trillion was spent globally under remediation. And that's our future disappearing in front of us.”

3

– Gen. Keith Alexander, NSA/CYBERCOM

© Dr. Frederick Wamala, CISSP®

ITU Cybersecurity Strategy Guides

4

© Dr. Frederick Wamala, CISSP®

Cybersecurity Strategy Model

5

© Dr. Frederick Wamala, CISSP®

Cybersecurity Strategy Model

6

URL: http://www.itu.int/ITU-D/cyb/cybersecurity/strategies.html

© Dr. Frederick Wamala, CISSP®

Strategic Context

7

© Dr. Frederick Wamala, CISSP®

Critical Information Infrastructure (CII)

8

© Dr. Frederick Wamala, CISSP®

Privately-owned – Govt oversight?

9

© Dr. Frederick Wamala, CISSP® 10

© Dr. Frederick Wamala, CISSP®

Focus on attack methods not Sources

11

© Dr. Frederick Wamala, CISSP®

Threat Assessment

12

© Dr. Frederick Wamala, CISSP®

Incomplete Threat Assessments

Threat Sources and Threat Actors Capability

Level 1 – Opportunistic Level 5 – Extremely capable and well resourced

to carry out sophisticated attacks e.g. Flame

Motivation Level 0 – No interest in attacking a given

system Level 5 – An absolute priority of the actor to

breach the security of a given system. Use all means e.g. Detailed research, bribery, coercion,

13

© Dr. Frederick Wamala, CISSP®

Failure to understand “Cybersecurity Ends”

14

© Dr. Frederick Wamala, CISSP®

Cybersecurity “Intensity of Interest”

15

Cybersecurity is not JUST a technical issue Cyber attacks threat ‘vital’ interests of States

© Dr. Frederick Wamala, CISSP®

India – Impact on Diplomatic Affairs

“A portion of the recovered data included visa applications submitted to Indian diplomatic missions in Afghanistan. This data was voluntarily provided to the Indian missions by nationals of 13 countries as part of the regular visa application process.”

16

© Dr. Frederick Wamala, CISSP®

Gaps – Legal Measures

17

© Dr. Frederick Wamala, CISSP®

Cybercrime legislation coverage

Criminalisation Substantive criminal law e.g. Unauthorised

access to computer systems and networks Jurisdiction Procedure and law enforcement

investigative measures Electronic evidence Liability of internet service providers International cooperation

18

© Dr. Frederick Wamala, CISSP®

Convention on Cybercrime – 2001

19

Criminalization

Procedures

Jurisdiction

International Cooperation

Council of Europe Convention on Cybercrime

CriminalizationProceduresElectronic evidence

JurisdictionService Provider LiabilityInternational Cooperation

© Dr. Frederick Wamala, CISSP®

Commonwealth Legislation – 2002

20

Criminalization

Procedures

Electronic evidence

Jurisdiction

International Cooperation

Commonwealth Model Legislation

CriminalizationProceduresElectronic evidence

JurisdictionService Provider LiabilityInternational Cooperation

© Dr. Frederick Wamala, CISSP®

US – Joint Chief Lobby for Legislation

21

© Dr. Frederick Wamala, CISSP® 22

© Dr. Frederick Wamala, CISSP®

Technical and Procedural Measures

23

© Dr. Frederick Wamala, CISSP®

Reactive – Subversion of Products

24

© Dr. Frederick Wamala, CISSP®

UK – Capacity to certify products

25

© Dr. Frederick Wamala, CISSP®

India – Comprehensive Approach

26

© Dr. Frederick Wamala, CISSP®

Gaps – Organisational Structures

27

© Dr. Frederick Wamala, CISSP®

India – National Cybersecurity Strategy

28

MCIT/Departmental cybersecurity strategy Only CERT-In has a national cyber mandate Oversight: MCIT; Defence, Home Affairs, NSA

© Dr. Frederick Wamala, CISSP®

DHS vs. White House Czar mandates

29

© Dr. Frederick Wamala, CISSP®

US – NSA involvement questioned

30

© Dr. Frederick Wamala, CISSP®

Gaps – Capacity Building

31

© Dr. Frederick Wamala, CISSP®

Gaps – Cybersecurity Skills

“India is regarded as an IT superpower but its record on IT security is not too brilliant. ... It does not have the required number of experts and professionals in cyber security.”

32

– Dr. Arvind Gupta, IDSA, India, 27/06/2012

© Dr. Frederick Wamala, CISSP® 33

© Dr. Frederick Wamala, CISSP®

UK – Intelligence not retaining staff

34

© Dr. Frederick Wamala, CISSP®

Gaps – International Cooperation

35

© Dr. Frederick Wamala, CISSP®

Russia rejects Convention

36

© Dr. Frederick Wamala, CISSP®

Convention – Article 32

37

© Dr. Frederick Wamala, CISSP®

EU and US wreck UN Treaty

38

© Dr. Frederick Wamala, CISSP®

Conclusion

39

© Dr. Frederick Wamala, CISSP® 40

© Dr. Frederick Wamala, CISSP® 41

Questions? Dr. Frederick Wamala, CISSP® Cybersecurity Adviser

– Strategic and Technical

E-mail: f.wamala@efrivo.com Twitter: @DrWamala