Transcript Learning from International Experience in Building

IT & Network Security Seminar of
SECURE-INDONESIA-FIRST.or.id (“id-FIRST”)
Jakarta, March 19, 2003
Towards a Cybersecurity
“Roadmap” for Indonesia:
Role of ‘id-FIRST’ in coordinating
effective response
and stakeholder engagement
By Idris F Sulaiman PhD
USAID ICT Advisor /Economist
State Ministry of Communications and Information and
Partnership for Economic Development
(USAID-Government of Indonesia) Project
PEG
The views expressed in this presentation are those of the authors and not necessarily
those of USAID, the U.S. Government or the Government of Indonesia.
Topics
• 1) Introduction:
– Some lessons best learnt without experience
– Need for a comprehensive approach:
• USAID, APECTEL & various National Strategies
• 2) Building blocks of Cybersecurity “Roadmap”:
– Legal & Policy Framework
– Law Enforcement Agency (LEA) Capacity Building
– IT Security Teams and CERT Capacity Building
– Creation of IT Employment Opportunities, Facilitation of
Secure Investment Climate and Risk Reduction:
* Unemployment -- Cybercrime link?
* Hacker outreach -- work on IT development
PEG
• 3) Summing up
Heed Warnings! Some lessons are
best learned without the experience!
CELL PHONE + GAS PUMP
A DANGEROUS COMBO !
PEG
Cell Phones & Gasoline Do Not Mix !
3 incidents reported at gas stations:
The key pad or ringer apparently, produces a small electric spark ….
• While pumping fuel a car caught fire from fumes
emitted from the tank – a cell phone placed on
the trunk of the car rang.
• A man got his face burnt while talking on the
phone, when refuelling his car.
• A cell phone burnt a man’s trousers - the phone
in his pocket rang, while refuelling his car.
Tragic ! Not Funny!! Laughing
stock ex-post
PEG
Don’t let it happen to you!
These incidents could be avoided.
• Keep your cell phone switched off at gas stations.
• If expecting an urgent call and phone cannot be
switched off - KEEP IT IN THE CAR - Do not answer
a cell phone when fuelling up.
• Reference: HSE Warning from Society of Petroleum
Engineers – Dated : 2nd November 2001
Your cell phone could ignite a
fire!
PEG
PEG
1. INTRODUCTION
USAID Indonesia approach
• Get policy right first, telecom/Internet build-out will follow
• Framework used in ICT assessment of 20 countries: see
“USAID Indonesia-ICT Assessment 2001” (IIA2001) Report:
– Policies (Telecom & E-Commerce Regimes)
– Pipes (Infrastructure)
– Private Sector (Fostering Entrepreneurship and
Removal of Impediments)
– People (E-leadership, HRD & Applications
Development)
PEG
• The 4 “P’s” is a comprehensive approach to ICT development
• a tool which can be used at global, national and local levels to
prioritize development initiatives
• the interaction between them has the potential to create significant
multiplier & network effects (comprehensive approach).
2. On-going
Work
USAID-PEG Project’s
ICT activities
Continue to facilitate the implementation of the National ICT Action Plan
(Indonesian Presidential Executive Order, InPres No:6/2001)
(1) E-Government : Egov.Task Force, meeting challenges of
governance reform at national and regional levels
(2) Wartel, Warnet and Tele-Center (Warnet+ + +) development
(3) Improve ICT use by Small and Medium-sized Businesses
(4) Improve telecommunications regulatory framework:
facilitate the establishment of modern licensing, frequency mgt,
telecom independent regulatory body & other policy innovations
adoption of e-Commerce and Cyber laws, anti-monopoly enforc’t
(5) Cybersecurity:
Facilitate legal and technical capacity building and other
policies and activities to promote cybersecurities
PEG
2. LEGALISSUES
REGIONAL CYBERSECURITY EFFORTAPECTEL 26, MOSCOW
• 26th Meeting of the
Telecommunications and Information
Working Group of the Asia Pacific
Economic Cooperation (APEC)
– Members and observer economies
– Legal Workshop to Combat
Cybercrime (Aug 17-18, 2002) sponsored by
US-Dept of Justice, US-State Dept & USAID
– APECTEL’s sessions (Aug 19-23,’02)
PEG
• European Electronic Standard
Signatures Initiatives (EESSI) part of
• E-Security Task Group (ETG) part of
• Business Facilitation Steering Group (BFSG)
• Development Cooperation SG (DCSG)
Legal Framework to Counter Cyber Crime
• Aim: for members to take steps towards harmonizing
• (1) substantive laws to deter criminal misuse of and
attacks on computer networks;
• (2) procedural laws to regulate government access to
information in order to investigate and deter all sorts of
crime facilitated by computer networks; and
• (3) laws to assure effective international coordination
• International Framework used:
PEG
– United Nations General Assembly (UNGA) Resolution 55/63
Combating the Criminal Misuse of Information Technologies
– Council of Europe Cybercrime Convention (Nov. 2001, signed by
30 countries including APEC members)
– “APEC Cybersecurity Strategy” proposals (adopted by the
APECTEL26 Plenary Session)
APEC Cyber Security Strategy
• Comprehensive approach: 5 initiatives, with action
items - basis of the country’s efforts on cybercrime and
critical infrastructure protection (eSecurity Task Group part
of Business Facilitation Steering Group, APECTel 26,
Moscow, Aug 19-23, 2002)
 Legal developments
 Information sharing and cooperation
 Security and technical guidelines
 Public awareness and education
 Wireless security
• Economic Security - Development Cooperation on jobcreation to bridge the digital divide (Development
Cooperation Steering Group for TEL26) Major result: Digital
Divide Blueprint for Action, Supporting Micro/SMEs, and Considering NextGeneration Technologies and their role in Infrastructure Development
PEG
Developing legal framework to combat
cybercrime in Indonesia
PEG
• Adoption of laws is costly and the choice of
law cannot be taken lightly because it would
require institutional and resource
preconditions
• Legal reform by itself will not result in a better
business and investment climate because
enforcement and public trust are the decisive
factors
• A comprehensive approach needed to remove
barriers and constraints
• What are the drivers and constraints?
• Examples: draft cyberlaw & e-signature law
3. TECHISSUES
•
BUILDING ON TECHNICAL CAPABILITIES
and TRANSPARENCY
(1) Limited Resources of Law Enforcement: IT Cybercrime Unit, National Police
(POLRI) is staffed only with handful senior investigators for a country of 220 million;
Training has started by International Law Enforcement Academy, Bangkok, Thailand
but only for 2 officers per year. Local training is an alternative to overcome shortage
in forensic and investigator specialists. (POLRI) is seeking further assistance
•
(2) Transparency and trust building between law enforcement and the
business community is essential; Indonesia’s police to work together with
businesses in dealing with crime. Improved privacy/rights protection are needed if
Indonesian businesses and the police are to cooperate effectively (slow progress in
the implementation of Freedom of Information Law).
• (3) Courts: There are deeper problems associated with Indonesian court
•
system but there are some improvements (e.g. Manulife case)
(4) ID-FIRST - new forum for stakeholders and constituency building for
ISPs, universities, banks, energy&power, telecom & others through their industry
associations. Each to build their own Warning And Response Points (WARPs) and
Computer Emergency Response Teams (CERTs)
•
PEG
ID-FIRST is to facilitate CERTs and WARPS to obtain assistance
(5) The government to build a National Critical Infrastructure Protection
Coordination Task Force (NCIPC Task Force)
– Without coordinating all (1-5), cyber security will be inadequate
id-FIRST Background
• Forum for ICT-incident Response and
Security Teams (id-FIRST Foundation)
– Supervisory Board: Forum of industry associations
(APJII, ASPILUKI, APKOMINDO, ANIMA, INDOWLI and others in FTII, MASTEL AKKI, ICT Watch)
– Task Force of IT Security Teams (ID-CERT,
ID-ISP-CERT, each industry WARPs/CERTs
– Commissioner Board: Authoritative persons
– Executive Board: Staffed by professional
– All boards will be elected annually coordinated by
Founding Board based on industry volunteers
• Current services
PEG
– Mailing list [email protected] - statistics collected
– Responding to inquiries from in&outside Indonesia
– Clearing house for information on IT & net security
International Symposium CERT-RO, August 27-28, 2002 Amsterdam,
the Netherlands
• Alternatives in Computer Emergency Response or E-Security:
– US: CERT/CC-Carnegie-Mellon Univ., Pittsburgh (established November 1988
– UK: NISCC - UK government, UK CIP Programme (established 1992)
– AU: AusCERT- Queensland University, Brisbane (established October 1992)
– NL: CERT-RO - runs Dutch Alerting Service, est. by ICTU(test run Sep. 2002)
– AP-CERT Task Force: proposed in Tokyo, Japan (March 2002); formal
est. date March 2003 APECTEL 27th Meeting in Kuala Lumpur, Malaysia
– EU: EuroCERT (97-99), now CSIRT Task Force - 79 European CERTs
– Workshop 1: CERTs and Critical Infrastructure Protection (CIP) establishing effective information sharing and cooperative agreements national and regional level initiatives
PEG
– Workshop 2: Pragmatic analysis of what is working and
The Netherlands Symposium
CONCLUSIONS:
• Asia: ideal for cybersecurity regionalization because there are many emerging CERTs and
there is often only one per country. Trust relationships are not easy to establish but
APCERT/APEC initiative receives strong support
• Europe: regionalization started in 1992 & has been quite successful but all CERTs
combined is yet to cover all critical infrastructure - there are blind spots still. Exchange of
information about security incidents works well. A standard for incident reporting and exchange
being developed.
•
•
Alternatives in cybersecurity initiatives (business models):
Academic-sector organizations with premium service to the private sector
–
•
US CERT-CC-US Electronic Industry Alliance, Au-CERT and others
Public-private Partnerships with private and public financing
–
UK Action 2000/Y2K private company, Min of Telecom owned, Belgian e-Security Platform (BIPT) &
Austria’s CIRCA (MoT and ISPs owned), VDI Norway
• Government managed org’s: with civil service and/or military
personnel
– UK’s National Infrastructure Security Coordination Centre (NISCC)
– France’s CERT-A, Netherlands’ CERT-RO, Germany’s CERT-BUND
– US National Infrastructure Protection Centre (NIPC) and Information Sharing and Analysis
Centers (ISACs), USG Sector Liaisons - banking, power & telecom
PEG
• US Presidential Decision Directive 63, 2002 - Homeland Security
Dependability Development Support Initiative
(DDSI) Conference, Belgium, Oct 10, 2002
•
•
European strategy or “Roadmap for Securing the Information Society”
- key aspects:
– Warning and Information Sharing
(on electronic attacks i.e.
Hacking, Viruses, Trojan, DDoS, etc)
– Public/private Partnerships and
– R&D Program (using dependability as an approach)
Government Mechanisms (US, the Netherlands, UK’s Information Assurance
Advisory Council) and International Approaches (EU, OECD and others)
• Dependability (Security, Reliability and Safety) in:
– Architecture: An open or closed network? Principle: A small central
organization and build upon existing sharing networks
– Business Model: Hybrid funding model - mix of public and private sector
funding for European capability to retain its objectivity. EU investment
should be targeted to stimulate the development of a sustainable market
for network security information
– Legal consideration: must operate in conformance with Community and
PEG national commercial codes and privacy legislation
Dependability Development Support Initiative
(DDSI) Conference (2): US Strategy
•
Draft strategy document “The National Strategy to Secure Cyberspace” (Sept 2002)
– Key coordinators: Mr. Richard Clark and Mr. Howard A. Schmidt; respectively
Chairman and VC of President’s Critical Infrastructure Protection Board (CIPB)
– Out for comments from the public, due date: November 18, 2002.
– See http://www.whitehouse.gov/pcipb/ or www.securecyberspace.gov
•
Key elements of US strategy to secure cyberspace– Case for Action: Cyberspace Threats and Vulnerabilities;
– Policies and Principles Guiding the Strategy;
– Highlights of the Strategy; and
• Five levels of the National Strategy
– Home users and small businesses
– Large enterprises
– Critical sectors (Federal, State & Local governments,
Higher Education, and the Private Sector)
– The National Priorities (Certification, Info Sharing, Cybercrime,
Market Forces, Privacy and Civil Liberties, Cyber space analysis,
Continuity of operations, Recovery and Reconstitution)
PEG – The Global Issues (Coordination through APEC, 24/7 Coord Centers)
Dependability Development Support Initiative
(DDSI) Conference (3): US Strategy
•
Key Elements: 6 major tools to secure cyberspace–
–
–
–
–
–
Awareness raising and information dissemination
Technology tools
Training and education
Partnership between private sector, academia and government
Federal government leadership role
Coordination and crisis management
• Partnership for Critical Infrastructure Protection
– this is a US public/private initiative in cybersecurity
( see http://www.pcis.org/ )
– Headed by Mr. Kenneth C. Watson, Manager of the
Critical Infrastructure Assurance Group, CISCO
• Dept of Commerce Critical Infrastructure Assurance Office (CIAO)
PEG
– Initiated a series of public cybersecurity meetings in several US cities
( see http://www.ciao.org )
– Sponsored meetings with US State and local governments from several
States including a national-level held in Austin, Texas (Feb 12-13, 2002)
and Princeton, New Jersey, April 23-24, 2002
Dependability Development Support Initiative
(DDSI) Conference (4)
•
Information Sharing Network:
– Loose voluntary linkage (not a technical comms network) of entities including
CERTs, WARPs, ISACs and other organizations interested in sharing warnings,
vulnerabilities, threats and incident reports, and providing advice to each other
and their own communities
•
UK’s “Neighbourhood Watch” - Warning, Advice and Reporting Point (WARP)
– Provides warning, advice and reporting services on Internet security-related matte
– Similar to a CERT but without a capability for responding to incidents (other than
providing advice)
•
Information Sharing & Analysis Center (ISAC):
– Conceived in US under PDD63 (1998) for coordination between organizations in ea
CNI sector (Energy, Banking/Finance, Telecommunications, Transport and others)
– IT ISAC, Telecom ISAC
– Predictive ISACs do not normally share reports outside their own (paying)
membership
– FIRST: Forum of Incidence Response and Security Teams - the global
organization to which most major CERTs subscribe (www. first.org)
PEG
4. INVESTMENT- Improve Investment Environment and
ISSUES
PEG
Unemployment Alleviation
• Worsening educated unemployed, most official figures
underestimate true situation; mainly heavily concentrated in
the cities of Jakarta, Bandung, Jogyakarta, Semarang and
Surabaya which accounted for over 40% of all senior high
and nearly half of all graduate unemployed in urban areas in
1999 (no recent statistics are collected)
• Unemployment rates were also highest in these cities: 19 %
and over versus a 14% unemployment rate among high
school graduates in all Indonesia in 1999.
• For many unemployed graduates: many Internet cafes or
Warnets provide heaven for “carding” (credit card fraud),
hacking and other cybercrime activities; few convictions but
lightly punished - no deterrent in the existing laws (even
Warnet operators are allegedly involved)
• Improving employment by providing opportunities for IT/
software development SMEs - scale up successes of the
development of software incubation Balicamp to Balige
Tobacamp, Batu (Malang) Camp, Bogorcamp, Bandung High
Tech Valley and others
Past & Future activities
– Workshops/seminars for awareness raising and capacity building:
• Indon Infocosm Bus. Community (I2BC): Seminar to raise awareness aimed at
I2BC members, namely IT services, media & security firms, Sep 25, 2002
• “Indonesia’s readiness and response to the threat of cybercrime” Seminar,
Showcase and Workshop and Launch of “Secure-Indonesia-FIRST (Forum for
ICT-incidents and Security Teams), March 19-22, 2003, Jakarta
• Policy work on ‘Public Sector Cybersecurity Readiness’ within Min of Comm&
Info and towards a ‘Critical Infrastructure Protection (CIP)’ national coordination
body involving others: Min of Comm& Transport, Coord Min of Political and
Security Affairs, Min of Industry and Trade, Coord Min of Economic Affairs,
National Planning Agency and others.
– Support APEC’s Cybersecurity strategy work; Japan, China, Singapore, NZ,
Canada, US and Australia have indicated particular interest and support for APCERT
– Support APEC Telecom & IT Working Group (APECTEL) 27th Meeting in Kuala
Lumpur, Malaysia as a focus on cybersecurity issues (with a special additional
workshop), 22-28 March 2003
• (see: www.apectel27.org.my)
PEG
Towards a Cybersecurity Roadmap...
• Further activities:
– Generate building blocks for “Cybersecurity Roadmap” process
– Overviews- collect info/statistics about incidents cybercrime and
electronic attack, existing warning and information sharing initiatives b
selected end-users and stakeholder identification
– Preparation of background issues and options paper
– Set up trust-building forum to share information
– Improve cybersecurity readiness in legal framework
– Capability building in computer emergency & law enforcement
agencies but with “buffer-zone” in between
– Capability building in IT incubation & economic growth response
PEG
MORE NEXT STEPS
- Lessons from European
Regionalization of CERT/CSIRT Efforts
• In order to respond effectively to possible attacks or problems one has to
know what’s really going on. Is a “script kiddie” at work here, a foreign
security agency, a terrorist, etc.? Who should respond?
• Systems by themselves (usually) don’t respond to attacks. In most cases an
incident is only identified after the fact.
• APCERT and most countries are still trying to come up with a good definition
of who are the stakeholders/constituents of Critical Infrastructure Protection
(CIP).
• Probably the definition will be very similar to the one that was applied in
solving the Y2K problem.
• Key question is: who decides what CIP consists of, and how can this
definition be determined?
• Setting up CERT/CSIRT - private sector or government-lead - would be a
way to concentrate security issues and responsibility.
PEG
-
Lessons from Euro
Regionalization Efforts (2)
MORE NEXT STEPS
• If the Private Sector turns out to be the most significant owners of CIP
or critical computer systems, then operations of industrial parties are
usually based on level service agreements (LSAs) which may be
difficult to influence
• Legislation can be helpful in CIP but doesn’t provide answers as to
who should act in the case of a security incidence
• Business continuity and damage minimization usually get a higher
priority than tracing/capturing/prosecuting the perpetrator
• Trust relationships built on personal contact do not scale. In the long
term another method needs to be found, e.g. using certification and
accreditation methods
• Commercial and governmental concerns may clash. In some cases a
party may try to deny the occurrence of an incident or deliberately
underrate its significance
• define who, what and how:
concise definitions are needed!
PEG
MORE NEXT STEPS - Lessons from Euro
Regionalization Efforts (3)
• Don’t expect one agency or one group to solve the whole
CIP problem. Define roles and responsibilities; establish
partnerships to tackle CIP.
• A national coordination group of CIP elements needs to be
convened to develop “Cybersecurity CIP Roadmap” on:
– ARCHITECTURE - Central facilitation body and networks
• Principle: Any initiative should comprise of a small central organization
and build upon existing sharing networks
– BUSINESS MODEL - added-value services for specific category of
potential customer
• Principle: A hybrid/mix of public-private sector funding model
– LEGAL- challenges for CIP implementation must be identified, e.g
PEG
• Competition law, data protection, confidentiality and liability
• Principle: Must operate in conformance with Community and national
commercial codes and privacy legislation
MORE NEXT STEPS - Lessons from Euro
Regionalization Efforts (4)
• To review and consider the whole CIP issue,
distinguish the following five tasks:
• Definition phase
• Task 1: Define CIP (and what are its goals)?
• • What it means in the national context, in terms of impact?
• • Who should be involved? Effectiveness of arrangements on
existing CERT (include virus alert systems) in preventing, detecting,
and reacting efficiently at national level against network and
information system disruption and attack?
• Task 2: Define roles and responsibilities:
– Who does what?
– What is the role for CERTs and National CIP Coordination?
– The layers of responsibility:
PEG
• Political and policy vs.
• the operational day-to-day
MORE NEXT STEPS
- Lessons from Euro
Regionalization Efforts (5)
• Pre-operational phase
Task 3: Organise the participation of the parties involved
• Operational phase
Task 4:
Define the structure in which CIP should be organised
e.g., a joint task force?
Use overseas examples, approaches and lessons learned
• Task 5: How to implement CIP by
defining and developing measures?
PEG
–
–
–
–
Awareness building
Risk management
Consequence management
Information sharing
MORE NEXT STEPS - Asia Pacific Regionalization Effort:
APCERT-APECTEL26 Initiative (6)
•
•
•
•
•
•
PEG
Integrate national teams into APC ERT community
Establish more CERT/WARPs near to the end users
Implementation of national schemes of cooperation
Bottom-up approach in accordance with CIP structures
CERT of last resort, National CIP/CSIRT Coordination
From trust to expectations (trust relationship build on
personal contact do not scale) - longer term alternatives:
– Standardization
– Accreditation
– Certification
– Actively involving new CERTs and helping them
set an appropriate level of expectations for
their service
MORE NEXT STEPS (7) : Proposed Relationships APCERT-Task
Force and AP Security Incidents Response Coordination
VN
KH
PH
MY TH SG NZ US RU
APCERT -TF
ID KR
TW CN HK
JP
AU
MX
PR
CA
APCERT
JP-ISP CERT
ID-Vendor CERT
APSIRC
ID-Gov CERT
JP-Gov CERT
ID-ISP CERT
PEG
JP-Vendor CERT
Future direction in combating cybercrime
PEG
• “Cybersecurity Roadmap” needed on:
– Define Architure, Roles and Responsibilities
– Business Model, Funding and Contributions
– Facilitating Technical Assistance
– Work on Legal Framework and New Guidelines
• Day-to-day Operational Advisories (email & web)
– www.cert.or.id, www.secure-indonesia-first.or.id
• Document translation (in Indonesian & English)
• Ticketing system for incident handling
• Scrubbing of ‘sensitive’ incidents data
• Support from others: Indonesia Internet Business
Community (I2BC), Info-comm (MASTEL) Society,
MCI and Donors ICT Group for Indonesia
Concluding comments
• Building blocks of cyber security strategy - legal, technical and
investment issues - must be seriously considered by both
private sector and government - BEFORE - cyber attacks gets
worse.
• There are some late-comer advantages for Indonesia and other
developing countries on policy preparations work because:
– There are emerging global and regional efforts (UN-General
Assembly, Council of Europe, APEC, European Union)
– Possible initial support from donor organizations through the Donor
ICT Group for Indonesia (World Bank - formally leading the group)
• Cybersecurity preparation is less costly if private and public
sector work together, minimize risk and share cost
• Outcome of cybersecurity strategy will depend on
– Trust-building & focus - both private and public sectors
– Private sector (e-security/ICT ind) lead & public input in debate
PEG – Private sector, government and donors effective cooperation
PEG
URL addresses
PEG
– APECTEL: http://www.apectel.org; OECD: http://www.oecd.org
– European CERT discussions: http://www.ddsi.org, http://
www.iaac.org.uk, http://ewis.jrc.int
– United States: http://www.cert.org, http://www.cybercrime.gov,
http://www.usdoj.go
– Australia: http://www.aucert.org.au, http:// www.cript.org.au,
http://www. noie.gov.au
– Netherlands: http://www.cert-ro.nl
– United Kingdom : http://www.niscc.gov.uk
– International forum for CERTs: http://www.first.org
– Canada: http://www.CanCERT.org.ca
– Mexico: http://www.MxCERT.mx
– Japan: http://www.JpCERT.or.jp
– Malaysia: http://www.mycert.org.my
– Singapore: http:// www.singcert.org.sg
– Thailand: http://thaicert.nectec.or.th/
– Taiwan: http://www.cert.org.tw
Thank You
• Please provide feedback to:
Idris F. Sulaiman
Tel: +62 21 520 1047
Fax: +62 21 521 0311
Email: [email protected]
• Websites:
Partnership for Economic Growth (PEG) Project:
www.pegasus.or.id
PEG
• Related USAID ICT Projects/Activities:
Economic, Law, Institutional & Professional
Strengthening (ELIPS) Project : www.elips.or.id
The Asia Foundation, Indonesia: www.tafindo.org
• USAID Indonesia :
www.usaid.gov/id