PEG Towards a Secure e-Business Environment for Indonesia: id-FIRST Role in Industry Cooperation for Reporting Crimes and Sharing Threat Information By Idris F Sulaiman PhD USAID ICT Advisor /Economist State Ministry of Communications and Information and Partnership for Economic Development (USAID-Government of Indonesia) Project Debriefing Seminar of Bangkok Conference on “Cybercrime Legislation and Enforcement Capacity Building” July 30, 2003, Jakarta The views expressed in this presentation are those of the authors and not necessarily those of USAID, the U.S. Government or the Government of Indonesia.

PEG Topics 1) Introduction: –APEC Cybersecurity Strategy 2) Some lessons learnt from Bangkok Conference: –A Key Building Block of Cybersecurity: Private Sector Participation Information sharing & Trusted networks Standards setting & C ode of C onduct 3) Concluding comments 1) Introduction: –APEC Cybersecurity Strategy 2) Some lessons learnt from Bangkok Conference: –A Key Building Block of Cybersecurity: Private Sector Participation Information sharing & Trusted networks Standards setting & C ode of C onduct 3) Concluding comments

PEG APEC Cyber Security Strategy Comprehensive approach: 5 initiatives, with action items - basis of the country ’ s efforts on cybercrime and critical infrastructure protection (managed by eSecurity Task Group (e-STG part of Business Facilitation Steering Group, APECTel 26, Moscow, Aug 19-23, 2002) nLegal developments nInformation sharing and cooperation nSecurity and technical guidelines nPublic awareness and education nWireless security Head of States of APEC has approved the strategy in October 2003 with commitments to some deadlines

PEG Implementing The Cyberstrategy LEGAL DEV ’ T: (1) Enactment of E-Transaction Law (RUU-ITE) (2) Enforcement Capacity Building: IT / Cybercrime Unit, National Police (POLRI-BARESKRIM) and Jakarta Metro Police ’ s Cybercrime Unit are building their forensic capabilities and training investigator specialists (3) Need for Awareness Building: Law that is not known is not enforced …. Law that is not enforced is not a (real) law... INFO SHARING AND COOPERATION: Partnership for Critical Infrastructure Protection (US) or Trusted Information Sharing Network (Australia), to share: –Business continuity plans –Consequence management –Information system attacks and vulnerabilities –Cybercrime information sharing –Protection of key sites from attack or sabotage TRUST-IS- #1-ISSUE

PEG Implementing “ Info ” Sharing In Australia

PEG Implementing the Cyberstrategy: What are the responsibilities of CERTs? provide advice to on information systems' security matters –To its stakeholder (eg. ISP-CERT) –To the public establish an incident reporting scheme and liaise with the Police regarding incidents on an “exception” reporting basis –FIRST: Forum of Incidence Response and Security Teams - the global organization to which most major CERTs subscribe (www. first.org)

PEG Implementing Security Standards: Anti-cybercrime Code Of Conduct Australian example on: Consultations with industry, law enforcement and Privacy Commissioner Scheduled for release August 2003 Cooperative liaison between ISPs and Law Enforcement Agencies

PEG Implementing Security Standards: Code Of Conduct Objectives Establish a cooperative working environment between ISPs and LEAs Provide clear guidelines to the satisfaction of both industry and LEAs Provide a transparent mechanism for the handling of LEA’s investigations for the Internet industry Promote positive relations between the LEAs and the Internet industry.

PEG Implementing Security Standards: Code Of Conduct Principles The Code should be technology neutral Requirements should be fair to all concerned Requirements should not adversely affect economic viability The privacy of customers’ details will be respected

PEG Implementing Security Standards: Code Of Conduct Issues Records retention –Balances industry cost and privacy with law enforcement requirements –Who bears of the burden to comply Access to calling line identity data –benefits law enforcement and ISPs Protocols and proformas for access requests –simplifies existing legal obligations

PEG IT Reporting Security Initiatives SURVIVAL OF THE FASTEST … The name of the game is “ speed ” reporting: –Cyber-speed is required to solve cybercrime (Vivienne Tan, Bangkok Aug,2003) InfraGuard (Est. 1996, US): creating Trust Networks between Industry & Gov ’ t UK ’ s “ Neighbourhood Watch ” - Warning, Advice and Reporting Points (WARPs) –Provides warning, advice and reporting services on Internet security-related matters –Similar to a CERT but without a capability for responding to incidents (other than providing advice) Information Sharing & Analysis Center (ISAC): –Conceived in US under PDD63 (1998) for coordination between organizations in each CNI sector (Energy, Banking/Finance, Telecommunications, Transport and others) –Examples in: IT, Banking & Telecom –Predictive ISACs do not normally share reports outside their own (paying) membership

PEG id-FIRST Background Forum for Awareness Raising F orum for I CT-incident R esponse and S ecurity T eams (id-FIRST) –Secure-Indonesia-FIRST.or.id –Forum of ICT-incident Reporting for Industry Associations (1st FTII: APJII, ASPILUKI, APKOMINDO, ANIMA, INDO-WLI other IAs to follow?) - possible WARPs/InfraGuards model –Links with Response Security Teams (ID-CERT & ID-ISP-CERT) Teams and others in each industry Current & Future services: –Mailing list - statistics collection, new start! –Clearing house for information on Security Code of Conduct, Awareness Raising, Links with similar Forums abroad –Make “ business case ” for ICT “ insurance ” - Research on incidence of cybercrime and quantify the damage New PS Forum

PEG Concluding comments Some late-comer advantages for Indonesia and other developing countries on policy preparations work, examples: –Malaysia & Philippines (Cyberlaw “ gestation ” & evolution and the need for Business involvement in securing e-Business Env ’ t) –Hong Kong & Canada (Law Enforcement Equipment and Training to meet the needs for 24 hour by 7 days Network) –Australia, United States & UK (private-public sector cooperation) Cybersecurity is ‘ pro-active ’ and ‘ pre- emptive ’ - higher return than mere focus on ‘ reactive ’ but need “ business case ” Formulate an implementable cybersecurity strategy, “ step-by- step ” in each to realize an effective “ Roadmap ” need business involvement and “ real ” participation: nLegal developments nInformation sharing and cooperation nSecurity and technical guidelines nPublic awareness and education So What?

PEG URL references APEC Telecommunications and Information Working Group - APECTEL ( see ) US National Strategy to Secure Cyberspace ( see ) Partnership for Critical Infrastructure Protection - this is a US public/private initiative in cybersecurity ( see ) IT SECURITY TRAINING: developed in conjunction with TEL HumanResources Development Steering Group -Eight modules - Available free of charge for non-commercial purposes, Hosted by Idaho State University at eSTG Website: APEC Cybersecurity Strategy: TELMIN Statement on the Security of Information and Communication Networks APEC Leaders Statement: Dept of Commerce Critical Infrastructure Assurance Office (CIAO ) –Initiated a series of public cybersecurity meetings in several US cities ( see )

PEG Terima Kasih - Thank You - Kop Kun Krap/Kah Please provide feedback to : Idris F. Sulaiman Tel: Fax: provide feedback to : Idris F. Sulaiman Tel: Fax: Please download more information from: ( “ id-FIRST ” )Please download more information from: ( “ id-FIRST ” ) Related USAID ICT Projects/Activities:Related USAID ICT Projects/Activities: Partnership for Economic Growth (PEG) Project: for Economic Growth (PEG) Project: Economic, Law, Institutional & Professional Strengthening (ELIPS) Project : Law, Institutional & Professional Strengthening (ELIPS) Project : The Asia Foundation, Indonesia: Asia Foundation, Indonesia: USAID Indonesia : Indonesia :