Presentation is loading. Please wait.

Presentation is loading. Please wait.

Critical Information Infrastructure Protection – essential during War times or Peace times or both? Prof Basie von Solms University of Johannesburg Johannesburg.

Similar presentations


Presentation on theme: "Critical Information Infrastructure Protection – essential during War times or Peace times or both? Prof Basie von Solms University of Johannesburg Johannesburg."— Presentation transcript:

1 Critical Information Infrastructure Protection – essential during War times or Peace times or both? Prof Basie von Solms University of Johannesburg Johannesburg basievs@uj.ac.za

2 What is Critical Information Infrastructure (CII)? What does CIIs consist of? What are the risks related to CIIs? What is Critical Information Infrastructure Protection (CIIP)? When is CIIP needed/required – during war or during peace? Who is responsible for CIIP? What is the relationship between CIIP and Corporate Governance? The Estonia - Russia Cyber war of 2007 The role of a CERT/CSIRT The position in SA and Africa AGENDA

3 WARNING!!!! Nothing I will say is new! Most of you will be up to date on everything I am going to say! However, we must say it again to stimulate discussion!!

4 What is CII ? Critical information infrastructures (CIIs) are communications and/or information services whose availability, reliability and resilience are essential to the functioning of a modern economy Critical Information Infrastructure Protection, A Report of the 2005 Rueschlikon Conference on Information Policy Telecommunications, power distribution, water supply, public health services, national defense (including the military’s warfighting capability), law enforcement, government services, and emergency services (are all part of a country’s CII) INFORMATION SECURITY, GAO 03-564, Progress Made, but Challenges Remain to Protect Federal Systems and the Nation’s Critical Infrastructures, 2003

5 What is CII ? Computers, networks, and network components are now essential to virtually all of (a) nation’s critical infrastructures Cybersecurity – A Crisis of Prioritization, Office of the Executive President of the USA, 2005 CIIs are NOT infrastructures limited to the domains of defence, the military, intelligence services, police services etc – they are part of the daily modern economy and existence of any country

6 What does CII consist of? (IT workers) work with the information technologies in many visible application areas every day Less visible, and certainly less well understood, is the fact that these technologies – computers, mass storage devices, high-speed networks and network components such as routers and switches, systems and applications software, embedded and wireless devices, and the Internet itself – are now also essential to virtually all of the Nation’s critical infrastructures Cybersecurity – A Crisis of Prioritization, Office of the Executive President of the USA, 2005

7 What does CII consist of? The growing use of the Internet in CIIs

8 What are the risks related to CII? ….. an increasing concern (is growing) about attacks from individuals and groups with malicious intent, such as crime, terrorism, foreign intelligence gathering, and acts of war. INFORMATION SECURITY, GAO 03-564, Progress Made, but Challenges remain to Protect Federal Systems and the Nation’s Critical Infrastructures, 2003 Cybercrime to today the fastest growing form of crime in the world

9 What are the risks related to CII? … concerns are well founded for a number of reasons, including * the dramatic increases in reported computer security incidents, * the ease of obtaining and using hacking tools, * the steady advance in the sophistication and effectiveness of attack technology, and * the dire warnings of new and more destructive attacks. INFORMATION SECURITY, GAO 03-564, Progress Made, but Challenges remain to Protect Federal Systems and the Nation’s Critical Infrastructures, 2003

10 What are the risks related to CII? The use of the Internet in CIIs!!!! Information Warfare/National Security (Estonia case study)

11 What is Critical Information Infrastructure Protection (CIIP)? Ensuring the Confidentiality, Integrity and Availability (CIA) of these infrastructures

12 When is CIIP needed/required – during war or during peace? From the discussion above, it is absolutely clear that CIIP is required 24/7/365 ‘for ever’ Protecting the computer systems that support our nation’s critical operations and infrastructures is a continuing concern INFORMATION SECURITY, GAO 03-564, Progress Made, but Challenges remain to Protect Federal Systems and the Nation’s Critical Infrastructures, 2003

13 When is CIIP needed/required – during war or during peace? The challenge is to realize that CIIP is as essential during peace times as it is during war times – In fact, failures of CIIs during peace times can result in riots and attacks and even war!!!

14 Who is responsible for CIIP? About 85 percent of the United States' critical infrastructures, telecommunications, energy, finance, and transportation systems, are owned and operated by private companies If our critical infrastructures are targets, it is the private sector that is on the front line. Critical Infrastructure Information Security Act http://www.senate.gov/~bennett/press/record.cfm?id=226461

15 Who is responsible for CIIP? Thus, we have to think differently about national security, as well as who is responsible for it. In the past, the defense of the Nation was about geography and an effective military command-and-control structure. However, now prevention and protection must shift from the command-control structure to partnerships that span private and government interests. (2) Critical Infrastructure Information Security Act http://www.senate.gov/~bennett/press/record.cfm?id=226461

16 What is Corporate Governance? ‘Corporate Governance consists of the set of policies and internal controls by which organizations, irrespective of size or form, are directed and managed. Information security governance is a subset of organizations’ overall (corporate) governance program.’ Information Security Governance – A Call to Action, National Cyber Security Summit Task Force, http://www.entrust.com/news/2004/corporategovernancetaskforce.pdf?entsrc=isgfullreporthttp://www.entrust.com/news/2004/corporategovernancetaskforce.pdf?entsrc=isgfullreport, accessed on 2 April 2008

17 What is the relationship between CIIP and Corporate Governance? The final area where industry ought to act is in making CIIP a board-level matter, concomitant with general corporate governance activities. CIIP is not a technical matter, but mainstream business matter. Critical Information Infrastructure Protection, A Report of the 2005 Rueschlikon Conference on Information Policy

18 The Estonian Cyber war The Estonian Cyberwar refers to a series of cyber attacks that began April 27 2007 and swamped websites of Estonian organizations, including Estonian parliament, banks, ministries, newspapers and broadcasters, amid the country's row with Russia about relocation of a Soviet-era memorial to fallen soldiers, as well as war graves in Tallinn Wikipedia

19 The Estonian Cyber war Some observers reckoned that the onslaught on Estonia was of a sophistication not seen before. The case is studied intensively by many countries and military planners, because, at the time it occurred, it may have been the second-largest instance of state- sponsored cyberwarfare, following Titan Rain Wikipedia

20 The Estonian Cyber war The main targets have been the websites of: · the Estonian presidency and its parliament · almost all of the country's government ministries · political parties · three of the country's six big news organisations · two of the biggest banks and firms specializing in communications Russia accused of unleashing cyberwar to disable Estonia http://www.guardian.co.uk/world/2007/may/17/topstories3.russia

21 The Estonian Cyber war Influence on international military doctrines The attacks triggered a number of military organisations around the world to reconsider the importance of network security to modern military doctrine. On June 14 2007, defence ministers of NATO members held a meeting in Brussels, issuing a joint communiqué promising immediate action. On June 25, 2007, Estonian president met with the president of USA Among the topics discussed were the attacks on Estonian infrastructure. As to the placement of a newly planned NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) Bush proclaimed the policy of USA as supporting Estonia as this centre's location. Russia accused of unleashing cyberwar to disable Estonia http://www.guardian.co.uk/world/2007/may/17/topstories3.russia

22 Summary CIIP is a coordinated synergistic effort including the Government the Private sector the Defence/Military/intelligence agencies Research agencies Academics and Universities all IT workers friendly countries

23 Summary CIIP is a coordinated synergistic effort including the Government the Private sector the Defence/Military/intelligence agencies Research agencies Academics and Universities all IT workers friendly countries Computer Security Incident Response Team (CSIRT)/ Computer Emergency Response Team (CERT)

24 The role of a CERT/CSIRT The United States Computer Emergency Readiness Team (US-CERT) is …… intended to coordinate the respond to security threats from the Internet. As such, it releases information about current security issues, vulnerabilities and exploits …….vulnerabilitiesexploits

25 A CSIRT can most easily be described by analogy with a fire department. reactive proactive The role of a CERT/CSIRT

26 CSIRTs in SA 2005 – Cobus Venter & Bernard Taute 2007 – JCSE 2008 – No up to date info could be found (any inputs???) The cost of cybercrime, http://www.polity.org.za/article.php?a_id=69510 SA takes first steps towards Computer Security Incident Response Team (CSIRT), http://cbr.co.za/news.aspx?pklNewsId=27281&pklCategoryID=378

27 CSIRTs in Africa Why am I here: I (on behalf of the international Cyber Security Incident Response Teams community) want National point of contact CSIRT at each of the African countries to be the focal point for the incident response coordination! Yurie Ito, Director of Technical Operation, JPCERT/Coordination Center, Japan, @CSIRT Training in AfNOG tutorial, Morocco. 1 June, 2008 Setting up CSIRTin the Africa Region, www.afnog.org/talks.html

28 JPCERT/CC is a CSIRT established in Japan. It acts as a "CSIRT of the CSIRTs" in the Japanese community. JPCERT/CC coordinates its activities with trusted CSIRTs worldwide. The goal of AfNOG is to share experience of technical challenges in setting up, building and running IP networks on the African continent. CSIRTs in Africa

29 Summary CIIP is essential for SA and Africa CIIP is a Corporate Governance responsibility CIIP involves a comprehensive set of role players CIIP needs CSIRTs CIIP need inter country cooperation Where do we stand in SA and in Africa???

30 The scope of the journal includes, but is not limited to: Information security challenges and implementation issues that are common (as well as unique) to infrastructure sectors. Elucidation of the interdependencies existing between infrastructure sectors and their information security protection. Core security principles and techniques that can be applied to address problems in information infrastructure protection. Development of sophisticated information infrastructure protection solutions that blend scientific methods, engineering techniques and public policy. New journal

31 Thanks Let’s talk!!!!


Download ppt "Critical Information Infrastructure Protection – essential during War times or Peace times or both? Prof Basie von Solms University of Johannesburg Johannesburg."

Similar presentations


Ads by Google