1 / 31

Critical Information Infrastructure Protection – essential during War times or Peace times or both?

Critical Information Infrastructure Protection – essential during War times or Peace times or both?. Prof Basie von Solms University of Johannesburg Johannesburg basievs@uj.ac.za. AGENDA. What is Critical Information Infrastructure (CII)? What does CIIs consist of?

auryon
Download Presentation

Critical Information Infrastructure Protection – essential during War times or Peace times or both?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Critical Information Infrastructure Protection – essential during War times or Peace times or both? Prof Basie von Solms University of Johannesburg Johannesburg basievs@uj.ac.za

  2. AGENDA • What is Critical Information Infrastructure (CII)? • What does CIIs consist of? • What are the risks related to CIIs? • What is Critical Information Infrastructure Protection (CIIP)? • When is CIIP needed/required – during war or during peace? • Who is responsible for CIIP? • What is the relationship between CIIP and Corporate Governance? • The Estonia - Russia Cyber war of 2007 • The role of a CERT/CSIRT • The position in SA and Africa

  3. WARNING!!!! • Nothing I will say is new! • Most of you will be up to date on everything I am going to say! • However, we must say it again to stimulate discussion!!

  4. What is CII ? • Critical information infrastructures (CIIs) are communications • and/or information services whose availability, reliability and • resilience are essential to the functioning of a modern economy • Critical Information Infrastructure Protection, A Report of the 2005 Rueschlikon Conference on • Information Policy • Telecommunications, power distribution, water supply, • public health services, national defense (including the military’s • warfighting capability), law enforcement, government services, • and emergency services (are all part of a country’s CII) • INFORMATION SECURITY, GAO 03-564, Progress Made, but Challenges Remain to Protect Federal • Systems and the Nation’s Critical Infrastructures, 2003

  5. What is CII ? • Computers, networks, and network components • are now essential to virtually all of (a) nation’s • critical infrastructures • Cybersecurity – A Crisis of Prioritization, Office of the Executive President of the USA, 2005 • CIIs are NOT infrastructures limited to the domains • of defence, the military, intelligence services, • police services etc – • they are part of the daily modern economy and • existence of any country

  6. What does CII consist of? (IT workers) work with the information technologies in many visible application areas every day Less visible, and certainly less well understood, is the fact that these technologies – computers, mass storage devices, high-speed networks and network components such as routers and switches, systems and applications software, embedded and wireless devices, and the Internet itself – are now also essential to virtually all of the Nation’s critical infrastructures Cybersecurity – A Crisis of Prioritization, Office of the Executive President of the USA, 2005

  7. What does CII consist of? The growing use of the Internet in CIIs

  8. What are the risks related to CII? • ….. an increasing concern (is growing) about • attacks from individuals and groups with malicious • intent, such as crime, terrorism, foreign intelligence • gathering, and acts of war. • INFORMATION SECURITY, GAO 03-564, Progress Made, but Challenges remain • to Protect Federal Systems and the Nation’s Critical Infrastructures, 2003 • Cybercrime to today the fastest growing form of • crime in the world

  9. What are the risks related to CII? • … concerns are well founded for a number of reasons, • including • * the dramatic increases in reported computer security incidents, • * the ease of obtaining and using hacking tools, • * the steady advance in the sophistication and effectiveness of attack technology, and • * the dire warnings of new and more destructive attacks. • INFORMATION SECURITY, GAO 03-564, Progress Made, but Challenges remain to Protect Federal • Systems and the Nation’s Critical Infrastructures, 2003

  10. What are the risks related to CII? The use of the Internet in CIIs!!!! Information Warfare/National Security (Estonia case study)

  11. What is Critical Information Infrastructure Protection (CIIP)? • Ensuring the • Confidentiality, • Integrity and • Availability • (CIA) of these infrastructures

  12. When is CIIP needed/required – • during war or during peace? • From the discussion above, it is absolutely clear that CIIP is required • 24/7/365 ‘for ever’ • <CIIs are NOT infrastructures limited to the domains of defence, the military, intelligence services, police services etc – they are part of the daily modern economy and existence of any country> • Protecting the computer systems that support our nation’s critical • operations and infrastructures is a continuing concern • INFORMATION SECURITY, GAO 03-564, Progress Made, but Challenges remain to Protect Federal • Systems and the Nation’s Critical Infrastructures, 2003

  13. When is CIIP needed/required – • during war or during peace? The challenge is to realize that CIIP is as essential during peace times as it is during war times – In fact, failures of CIIs during peace times can result in riots and attacks and even war!!!

  14. Who is responsible for CIIP? About 85 percent of the United States' critical infrastructures, telecommunications, energy, finance, and transportation systems, are owned and operated by private companies If our critical infrastructures are targets, it is the private sector that is on the front line. Critical Infrastructure Information Security Act http://www.senate.gov/~bennett/press/record.cfm?id=226461

  15. Who is responsible for CIIP? Thus, we have to think differently about national security, as well as who is responsible for it. In the past, the defense of the Nation was about geography and an effective military command-and-control structure. However, now prevention and protection must shift from the command-control structure to partnerships that span private and government interests. (2) Critical Infrastructure Information Security Act http://www.senate.gov/~bennett/press/record.cfm?id=226461

  16. What is Corporate Governance? ‘Corporate Governance consists of the set of policies and internal controls by which organizations, irrespective of size or form, are directed and managed. Information security governance is a subset of organizations’ overall (corporate) governance program.’ Information Security Governance – A Call to Action, National Cyber Security Summit Task Force, http://www.entrust.com/news/2004/corporategovernancetaskforce.pdf?entsrc=isgfullreport, accessed on 2 April 2008

  17. What is the relationship between CIIP and Corporate Governance? • The final area where industry ought to act is in making CIIP • a board-level matter, concomitant with general • corporate governance activities. • CIIP is not a technical matter, but mainstream business matter. • Critical Information Infrastructure Protection, A Report of the 2005 Rueschlikon Conference on • Information Policy

  18. The Estonian Cyber war The Estonian Cyberwar refers to a series of cyber attacks that began April 27 2007 and swamped websites of Estonian organizations, including Estonian parliament, banks, ministries, newspapers and broadcasters, amid the country's row with Russia about relocation of a Soviet-era memorial to fallen soldiers, as well as war graves in Tallinn Wikipedia

  19. The Estonian Cyber war Some observers reckoned that the onslaught on Estonia was of a sophistication not seen before. The case is studied intensively by many countries and military planners, because, at the time it occurred, it may have been the second-largest instance of state-sponsored cyberwarfare, following Titan Rain Wikipedia

  20. The Estonian Cyber war • The main targets have been the websites of: • · the Estonian presidency and its parliament • · almost all of the country's government ministries • · political parties • · three of the country's six big news organisations • · two of the biggest banks and • firms specializing in communications • Russia accused of unleashing cyberwar to disable Estonia http://www.guardian.co.uk/world/2007/may/17/topstories3.russia

  21. The Estonian Cyber war Influence on international military doctrines The attacks triggered a number of military organisations around the world to reconsider the importance of network security to modern military doctrine. On June 14 2007, defence ministers of NATO members held a meeting in Brussels, issuing a joint communiqué promising immediate action. On June 25, 2007, Estonian president met with the president of USA Among the topics discussed were the attacks on Estonian infrastructure. As to the placement of a newly planned NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) Bush proclaimed the policy of USA as supporting Estonia as this centre's location. Russia accused of unleashing cyberwar to disable Estonia http://www.guardian.co.uk/world/2007/may/17/topstories3.russia

  22. Summary • CIIP is a coordinated synergistic effort including • the Government • the Private sector • the Defence/Military/intelligence agencies • Research agencies • Academics and Universities • all IT workers • friendly countries

  23. Summary • CIIP is a coordinated synergistic effort including • the Government • the Private sector • the Defence/Military/intelligence agencies • Research agencies • Academics and Universities • all IT workers • friendly countries Computer Security Incident Response Team (CSIRT)/ Computer Emergency Response Team (CERT)

  24. The role of a CERT/CSIRT The United States Computer Emergency Readiness Team (US-CERT) is …… intended to coordinate the respond to security threats from the Internet. As such, it releases information about current security issues, vulnerabilities and exploits …….

  25. The role of a CERT/CSIRT • A CSIRT can most easily be described by analogy • with a fire department. • reactive • proactive

  26. CSIRTs in SA 2005 – Cobus Venter & Bernard Taute 2007 – JCSE 2008 – No up to date info could be found (any inputs???) The cost of cybercrime, http://www.polity.org.za/article.php?a_id=69510 SA takes first steps towards Computer Security Incident Response Team (CSIRT), http://cbr.co.za/news.aspx?pklNewsId=27281&pklCategoryID=378

  27. CSIRTs in Africa Why am I here: I (on behalf of the international Cyber Security Incident Response Teams community) want National point of contact CSIRT at each of the African countries to be the focal point for the incident response coordination! Yurie Ito, Director of Technical Operation, JPCERT/Coordination Center, Japan, @CSIRT Training in AfNOG tutorial, Morocco. 1 June, 2008 Setting up CSIRTin the Africa Region, www.afnog.org/talks.html

  28. CSIRTs in Africa JPCERT/CC is a CSIRT established in Japan. It acts as a "CSIRT of the CSIRTs" in the Japanese community. JPCERT/CC coordinates its activities with trusted CSIRTs worldwide. The goal of AfNOG is to share experience of technical challenges in setting up, building and running IP networks on the African continent.

  29. Summary CIIP is essential for SA and Africa CIIP is a Corporate Governance responsibility CIIP involves a comprehensive set of role players CIIP needs CSIRTs CIIP need inter country cooperation Where do we stand in SA and in Africa???

  30. New journal The scope of the journal includes, but is not limited to: Information security challenges and implementation issues that are common (as well as unique) to infrastructure sectors. Elucidation of the interdependencies existing between infrastructure sectors and their information security protection. Core security principles and techniques that can be applied to address problems in information infrastructure protection. Development of sophisticated information infrastructure protection solutions that blend scientific methods, engineering techniques and public policy.

  31. Let’s talk!!!! Thanks

More Related