290 likes | 435 Views
An Analysis of the Cyber Security Strategy (2008) of Estonia. Based in part on ITU Q.22/1 Report On Best Practices For A National Approach To Cybersecurity: Building Blocks For Organizing National Cybersecurity Efforts By Joseph Richardson. National Cybersecurity Strategy.
E N D
An Analysis of the Cyber Security Strategy (2008) of Estonia Based in part on ITU Q.22/1 Report On Best Practices For A National Approach To Cybersecurity: Building Blocks For Organizing National Cybersecurity Efforts By Joseph Richardson
National Cybersecurity Strategy This presentation represents the views of the author and is intended to be used exclusively as a training document.
Elements of Framework • Policy (goals) on cyber security • Case for action • Relationship to other national goals and objectives • Security initiatives and actions to be undertaken: • Collaboration and information exchange • Incident management • Legal framework • Culture of security • Other considerations
A: Policy (goals) on Cybersecurity Provided in broad statements: • Summary (Pg 3): Estonia’s cyber security strategy seeks primarily to reduce the inherent vulnerabilities of cyberspace in the nation as a whole. • Introduction (pg 6): The protection of a country’s entire cyber assets calls for a comprehensive effort involving all sectors of national society, a clear and efficient allocation of responsibilities therein for the prevention of cyber attacks, and increased general competence and awareness regarding threats in cyberspace.
A: Policy (goals) on Cybersecurity Specific detailed goals: • Summary (pg 3) and Section 4: Goals and measures (pg 27) • The development … of a system of security measures. • Increasing competency in cyber security. • Improving the legal framework for … cyber security. • Bolstering international co-operation. • Raising awareness on cyber security.
B. Case for action a.: Role of ICTs in nation Summary: (Pg 3 Para 5): • The dependence of the daily functioning of society on IT solutions makes the development of adequate security measures an urgent need.
B. Case for actiona.: Role of ICTs in nation Details in Section 3.1 (Pg 12): • The development of Estonia’s information society, … has been an important driver in the country’s spectacular economic growth. • In 2007, 51% of all Estonian households leased high-speed broadband Internet services. • … the dependence of our daily activities and lifestyle on the security and proper functioning of information technology increases incessantly. • The functioning of society depends greatly on the seamless operability of the information infrastructure that supports the critical infrastructure and on its resilience against attack. • The financial sector is one of the most dependent on e-services.
B. Case for action b. Risk associated with ICTs • Summary (pg 3): The asymmetrical threat posed by cyber attacks and the inherent vulnerabilities of cyberspace constitute a serious security risk confronting all nations. • Introduction (pg 6): The numerous cyber attacks launched in recent years against advanced information societies … have placed the abuse of cyberspace high on the list of novel threats.
B. Case for action b. Risk to be managed Includes those in previous slide, plus, • Introduction: (pg 6): The coordinated cyber attacks against Estonian government agencies, banks, and media and telecommunications companies demonstrated that the vulnerability of a society's information systems is an aspect of national security in urgent need of serious appreciation. • And those enumerated in Threats in cyberspace (Pg 10) • Attacks against a nation’s critical infrastructure and its associated information systems. • Attacks for financial gain.
C. Relationship to other national goals and objectives Section 1.2 Cyber Security Strategy and its relation to other national development plans: (pg 8): • In developing the Cyber Security Strategy, the committee has taken into account national development plans that might also be relevant to information security and the information society, as well as plans relating to internal security and national defence. • The principles of the current Strategy are in line with the Information Security Interoperability Framework that was adopted by the Ministry of Economic Affairs and Communications on 31st January 2007. • However, the Cyber Security Strategy does not include • national measures to target cyber crime; (or) • measures to secure the information systems which pertain to national defence
D. Security initiatives and actions to be undertaken: Summary: (Pg 3), elaborated Section 4 (Pg 27): Policies for enhancing cyber security: • The development and large-scale implementation of a system of security measures • Increasing competence in cyber security • Improvement of the legal framework for supporting cyber security • Bolstering international co-operation • Raising awareness on cyber security
D.1. Collaboration and information exchangea. Leadership, key participants and assignment of roles Section 1.2 (pg 8): • … the Government has tasked the Ministry of Defence — in co-operation with the Ministry of Education and Research, the Ministry of Justice, the Ministry of Economic Affairs and Communications, the Ministry of Internal Affairs and the Ministry of Foreign Affairs — to develop a "Cyber Security Strategy for 2008–2013".1 Section 5: (Pg 35) • The responsibility for developing the “Implementation Plan for Cyber Security Strategy 2008–2010” lies with the Cyber Security Strategy Committee, led by the Ministry of Defence in co-operation with the Ministry of Education and Research, the Ministry of Justice, the Ministry of Economic Affairs and Communications, the Ministry of Internal Affairs, the Ministry of Foreign Affairs and private sector representatives.
D.1. Collaboration and information exchangeb. Policy development mechanisms Footnote (Pg 8): • The development of the Strategy should follow the Government of the Republic Regulation No. 302 of 13th December 2005 on the types of strategic development plans and the procedures for preparation, amendment, implementation, assessment and reporting thereof.
D.1. Collaboration and information exchangec. Information sharing and operational mechanismsd. Trusted forums and their operationse. Industry to industry cooperation, including among interdependent critical industries Not specifically addressed, but note that responsibility for implementation was assigned to a committee, with members named that includes the private sector.
D.2. Incident Management a. Coordinator for Incident Management (CIM)b. Roles and responsibilities of CIMc. Establish CSIRT with national responsibilities (N-CSIRT)d. Obtain CSIRT servicese. Key cooperating participants and roles • Estonia has a CERT and does not directly address these CERT establishment issues.
D.2. Incident Management f. Protection for government operated systemsg. Proposals for protection of national cyber resources Section 4.1 (Pg 27) • Estonia will develop a system of security measures … to ensure national cyber security. Measure 1 (Pg 27): • Protection of the Critical Information Infrastructure (CII). Measure 2 (Pg 28): • Implementation of security measures in the public and private sectors.
D.2. Incident Management h. Integrated risk management Section 4.1 (Pg 27) Measure 1: • The aim is to develop a common methodology for assessing the vulnerability of critical information systems and their support services.
D.3. Legal Framework a. Legal authorities for review and update Section 3.4 (Pg 17-19) Cyber security and legal framework • Review of law was begun in 2007 and found: • “the need of amending and harmonising the following elements of national law” • Penal Code, Electronic Communications Act, Personal Data Protection Act, Public Information Act, Information Society Services Act
D.3. Legal Frameworkb. Lead ministries • Not specifically identified – review began 2007 • Ministry of Justice identified as participating in implementation committee.
D.3. Legal Frameworkc. For cybercrime – enforcement initiatives Section 4.3 (Pg 30) Development of a legal framework for cyber security • The development of legislation to ensure cyber security is aimed at creating a robust legal framework for combating cyber crime….
D.3. Legal Frameworkd. International cooperation Section 3.5 (Pg 21): International Co-operation: • (At Pg 23): Estonia considers active participation in international organisations vital for increasing global cyber security.
D.4. Culture of Securitya. Awareness and outreach programs Summary (Pg 5): Policy # 5. Raising awareness on cyber security; by: • presenting Estonia’s expertise and experience in the area of cyber security at both the domestic and international level, and supporting co-operative networks; • raising awareness of information security among all computer users with particular focus on individual users and SMEs by informing the public about threats existing in the cyberspace and improving knowledge on the safe use of computers; • co-ordinating the distribution of information on cyber threats and organising the awareness campaigns in co-operation with the private sector.
D.4. Culture of Securitya. Awareness and outreach programs Section 4.5 (Pg 34) Raising awareness of cyber security. The goals include: • increasing awareness of information security and the risks stemming from the cyber environment among all computer users; • spreading awareness of secure computer use and the basic principles of information security among different target groups in society; • promoting Estonia’s positions on cyber security at both the national and international levels, and supporting the efficient functioning of co-operation networks.
D.4. Culture of Securityb. S&T and R&D Section 4.2 (Pg 29) Increasing competence in information security. • Measure 1: Organisation of Training in Cybersecurity • Measure 2: Enhancing Research and Development
E. Other considerations 1. Budget and financing Section 5 (Pg 35) Implementation of the Strategy • Attention will be given to the concrete actions and funds needed to achieve the objectives of the Strategy in its various fields of competence. Implementation Plans will be developed for two periods: 2008–2010 and 2011–2013.
E. Other considerations 2. Implementation timeframes Section 5 (Pg 35) Implementation of the Strategy • The Strategy was adopted by the Government on 8 May 2008. • An Implementation Plan for 2008–2010 will be submitted to the Government for approval within three months of the adoption of the Strategy.
E. Other considerations 3. Review and reassessment plans Section 5 (Pg 35) Implementation of the Strategy • The implementation and overall efficiency of the Strategy in meeting its stated objectives will be assessed by the Cyber Security Council of the Security Committee of the Government of the Republic.
Thank you Joseph Richardson