Critical Information Infrastructure Protection A Commonwealth Perspective Geneva, Switzerland 15-16 th September 2014 Dr Martin Koyabe Head of Research & Consultancy Commonwealth Telecommunications Organization (CTO) E-mail: [email protected]ITU Workshop on “ICT Security Standardization for Developing Countries”
40
Embed
Critical Information Infrastructure Protection A Commonwealth Perspective
ITU Workshop on “ ICT Security Standardization for Developing Countries ”. Critical Information Infrastructure Protection A Commonwealth Perspective. Geneva, Switzerland 15-16 th September 2014. Dr Martin Koyabe Head of Research & Consultancy - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
“ the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
Source: US Homeland Security
“ the (CNI) comprises those assets, services and systems that support the economic, political and social life of the UK whose importance is such that loss could either, cause large-scale loss of life; have a serious impact on the national economy; have other grave social consequences for the community; or be of immediate concern to the national government.”
Source: UK Centre for the Protection of National Infrastructure (CPNI)
“ an asset or system which is essential for the maintenance of vital societal functions. The damage to a critical infrastructure, its destruction or disruption by natural disasters, terrorism, criminal activity or malicious behaviour, may have a significant negative impact for the security of the EU and the well-being of its citizens.”
“ those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defense and ensure national security.”
Source: The Australian, State & Territory Government
“ processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, andSignificant harm to public confidence.
Source: Government of Canada
“those facilities, systems, or functions, whose incapacity or destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation”
Source: National Critical Information Infrastructure Protection Centre (NCIIPC)
“ Communications and/or information service whose availability, reliability and resilience are essential to the functioning of a modern economy, security, and other essential social values.”
Rueschlikon Conference on Information Policy Report, 2005
Critical Information Infrastructure Protection (CIIP)
• Widespread use of Internet have transformed stand-alone systems and predominantly closed networks into a virtually seamless fabric of interconnectivity.
• ICT or Information infrastructure enables large scale processes throughout the economy, facilitating complex interactions among systems across global networks.
• ICT or Information infrastructure enables large scale processes throughout the economy, facilitating complex interactions among systems across global networks; and many of the critical services that are essential to the well-being of the economy are increasingly becoming dependent on IT.
#1: Cost and lack of (limited) financial investment– Funds required to establish a CIIP strategic framework can be a hindrance– Limited human & institutional resources
#4: Lack of relevant CII strategies, policies & legal framework– Needs Cybercrime legislation & enforcement mechanisms– Setup policies to encourage co-operation among stakeholders
o Especially through Public-Private-Partnerships (PPP)
#5: Lack of information sharing & knowledge transfer– It is important at ALL levels National, Regional & International – Necessary for developing trust relationships among stakeholders
(1) Establish CIP Goals, e.g.Critical infrastructures (CI) provide the essential services that support modern information societies and economies. Some CI support critical functions and essential services so vital that the incapacitation, exploitation, or destruction, through natural disaster, technological failure, accidents or intentional attacks could have a debilitating effect on national security and economic well-being.
• Critical Infrastructure (CI)
CI exploitation, or destruction, through natural disaster, technological failure, accidents or intentional attacks could have a debilitating effect on national security and economic well-being.
• Understand Critical Infrastructure (CI) Risks
Prevent or minimize disruptions to critical information infrastructures, no matter the source, and thereby protect the people, the economy, the essential human and government services, and the national security. In the event disruptions do occur, they should be infrequent, of minimal duration and manageable.
• Articulate CIP policy/goals
National CIP framework includes relevant government entities, as well as, establishing public private partnerships involving corporate and non-governmental organizations.
• Develop joint PPP plans for managing emergencies – including recovering critical functions in the event of significant incidents, including but limited to natural disasters, terrorist attacks, technological failures or accidents.
• Create emergency response plans to mitigate damage and promote resiliency.
• Create effective emergency response plans that are generally short and highly actionable so they can be readily tested, evaluated, and implemented.
• Testing and exercising emergency plans to promote trust, understanding and greater operational coordination among public and private sector organizations.
• Exercises also provide an important opportunity by identifying new risk factors that can be addressed in response plans or controlled through regular risk management functions.
• Ability to prepare for and adapt to changing conditions, and withstand and recover rapidly from disruptions
• Implement contingency frameworks that will enable critical functions to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents
• Based on Commonwealth Charter of March 2013– Democracy, human rights and rule of law
• The Charter expressed the commitment of member states to – The development of free and democratic societies– The promotion of peace and prosperity to improve the lives of
all peoples– Acknowledging the role of civil society in supporting
Commonwealth activities
• Cyberspace today and tomorrow should respect and reflect the Commonwealth Values– This has led to defining Commonwealth principles for use of
Principle 1: We contribute to a safe and an effective global Cyberspace• as a partnership between public and private sectors, civil society and users,
a collective creation;• with multi-stakeholder, transparent and collaborative governance promoting
continuous development of Cyberspace;• where investment in the Cyberspace is encouraged and rewarded;• by providing sufficient neutrality of the network as a provider of information
services;• by offering stability in the provision of reliable and resilient information
services;• by having standardisation to achieve global interoperability;• by enabling all to participate with equal opportunity of universal access;• as an open, distributed, interconnected internet;• providing an environment that is safe for its users, particularly the young and
vulnerable;• made available to users at an affordable price.
Principle 2: Our actions in Cyberspace support broader economic and social development• by enabling innovation and sustainable development, creating greater
coherence and synergy, through collaboration and the widespread dissemination of knowledge;
• respecting cultural and linguistic diversity without the imposition of beliefs;• promoting cross-border delivery of services and free flow of labour in a multi-
lateral trading system;• allowing free association and interaction between individuals across borders;• supporting and enhancing digital literacy;• providing everyone with information that promotes and protects their rights
and is relevant to their interests, for example to support transparent and accountable government;
• enabling and promoting multi-stakeholder partnerships;• facilitating pan-Commonwealth consultations and international linkages in a
single globally connected space that also serves local interests.
Principle 4: We each exercise our rights and meet our responsibilities in Cyberspace• we defend in Cyberspace the values of human rights, freedom of expression
and privacy as stated in our Charter of the Commonwealth;• individuals, organisations and nations are empowered through their access
to knowledge;• users benefit from the fruits of their labours; intellectual property is
protected accordingly;• users can benefit from the commercial value of their own information;
accordingly, responsibility and liability for information lies with those who create it;
• responsible behaviour demands users all meet minimum Cyberhygiene requirements;
• we protect the vulnerable in society in their use of Cyberspace;• we, individually and collectively, understand the consequences of our actions
and our responsibility to cooperate to make the shared environment safe; our obligation is in direct proportion to culpability and capability.