why government & corporate cyber programmes are failing

41
International Telecommunication Union Why Government & Corporate Cyber Programmes are failing Trivandrum, Kerala, India, 3-4 August 2012 Dr. Frederick Wamala, CISSP®

Upload: c0c0n-international-cyber-security-and-policing-conference

Post on 23-Dec-2014

430 views

Category:

Technology


1 download

DESCRIPTION

Why Government & Corporate Cyber Programmes are Failing by Dr. Frederick Wamala at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html

TRANSCRIPT

Page 1: Why Government & Corporate Cyber Programmes are Failing

InternationalTelecommunicationUnion

Why Government & Corporate Cyber Programmes are failing

Trivandrum, Kerala, India, 3-4 August 2012

Dr. Frederick Wamala, CISSP®

Page 2: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Disclaimer – One for the Lawyers

2

Opinions expressed here are mine. The view I express do not necessarily reflect those of any past or present employers and/or associates.

All trademarks are the properties of theirrespective owners.

Page 3: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Quotation – Cybercrime “In fact, in my opinion,

it's the greatest transfer of wealth in history ... McAfee estimates that $1 trillion was spent globally under remediation. And that's our future disappearing in front of us.”

3

– Gen. Keith Alexander, NSA/CYBERCOM

Page 4: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

ITU Cybersecurity Strategy Guides

4

Page 5: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Cybersecurity Strategy Model

5

Page 6: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Cybersecurity Strategy Model

6

URL: http://www.itu.int/ITU-D/cyb/cybersecurity/strategies.html

Page 7: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Strategic Context

7

Page 8: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Critical Information Infrastructure (CII)

8

Page 9: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Privately-owned – Govt oversight?

9

Page 10: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP® 10

Page 11: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Focus on attack methods not Sources

11

Page 12: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Threat Assessment

12

Page 13: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Incomplete Threat Assessments

Threat Sources and Threat Actors Capability

Level 1 – Opportunistic Level 5 – Extremely capable and well resourced

to carry out sophisticated attacks e.g. Flame

Motivation Level 0 – No interest in attacking a given

system Level 5 – An absolute priority of the actor to

breach the security of a given system. Use all means e.g. Detailed research, bribery, coercion,

13

Page 14: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Failure to understand “Cybersecurity Ends”

14

Page 15: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Cybersecurity “Intensity of Interest”

15

Cybersecurity is not JUST a technical issue Cyber attacks threat ‘vital’ interests of States

Page 16: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

India – Impact on Diplomatic Affairs

“A portion of the recovered data included visa applications submitted to Indian diplomatic missions in Afghanistan. This data was voluntarily provided to the Indian missions by nationals of 13 countries as part of the regular visa application process.”

16

Page 17: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Gaps – Legal Measures

17

Page 18: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Cybercrime legislation coverage

Criminalisation Substantive criminal law e.g. Unauthorised

access to computer systems and networks Jurisdiction Procedure and law enforcement

investigative measures Electronic evidence Liability of internet service providers International cooperation

18

Page 19: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Convention on Cybercrime – 2001

19

Criminalization

Procedures

Jurisdiction

International Cooperation

Council of Europe Convention on Cybercrime

CriminalizationProceduresElectronic evidence

JurisdictionService Provider LiabilityInternational Cooperation

Page 20: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Commonwealth Legislation – 2002

20

Criminalization

Procedures

Electronic evidence

Jurisdiction

International Cooperation

Commonwealth Model Legislation

CriminalizationProceduresElectronic evidence

JurisdictionService Provider LiabilityInternational Cooperation

Page 21: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

US – Joint Chief Lobby for Legislation

21

Page 22: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP® 22

Page 23: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Technical and Procedural Measures

23

Page 24: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Reactive – Subversion of Products

24

Page 25: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

UK – Capacity to certify products

25

Page 26: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

India – Comprehensive Approach

26

Page 27: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Gaps – Organisational Structures

27

Page 28: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

India – National Cybersecurity Strategy

28

MCIT/Departmental cybersecurity strategy Only CERT-In has a national cyber mandate Oversight: MCIT; Defence, Home Affairs, NSA

Page 29: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

DHS vs. White House Czar mandates

29

Page 30: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

US – NSA involvement questioned

30

Page 31: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Gaps – Capacity Building

31

Page 32: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Gaps – Cybersecurity Skills

“India is regarded as an IT superpower but its record on IT security is not too brilliant. ... It does not have the required number of experts and professionals in cyber security.”

32

– Dr. Arvind Gupta, IDSA, India, 27/06/2012

Page 33: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP® 33

Page 34: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

UK – Intelligence not retaining staff

34

Page 35: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Gaps – International Cooperation

35

Page 36: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Russia rejects Convention

36

Page 37: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Convention – Article 32

37

Page 38: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

EU and US wreck UN Treaty

38

Page 39: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP®

Conclusion

39

Page 40: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP® 40

Page 41: Why Government & Corporate Cyber Programmes are Failing

© Dr. Frederick Wamala, CISSP® 41

Questions? Dr. Frederick Wamala, CISSP® Cybersecurity Adviser

– Strategic and Technical

E-mail: [email protected] Twitter: @DrWamala