Cybersecurity: Public Sector Threats and Responses
1. Cybersecurity:
Public Sector Threats and Responses
Kim Andreasson
Managing Director
DAKA advisory AB
Indonesia
Information Security Forum (IISF)
Hotel Hilton Bandung,
10 October 2012
2. Presentation overview
An introduction to cyber security in the public sector
Cyber threats
Public sector responses
Steps towards a more resilient organizational cyber
security strategy
Conclusion
3. Understanding cyber security in
the public sector
A convergence of three trends:
1. Globalization
2. Connectivity
3. E-government
4. 1. Globalization
ICTs contribute strongly to
economic growth and
better social outcomes
Benchmarking the
information society is
important in order for
policy-makers to
understand the factors
behind it and how to
achieve improved
outcomes
Most benchmarks include
a component of
e-government
5. 2. Connectivity
The world will go 120
114.2
from 2bn Internet 100
Mobil e s ubs cri pti ons :
Devel oped countri es
users in 2010 to Mobil e s ubs cri pti ons :
5bn in 2015 80
Devel opi ng countri es
Per 100 inhabitants
70.1
An opportunity 60
to improve 40
service delivery
20
An opportunity 0
to leapfrog 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
The developed/developing country classifications are based on the UN M49, see:
http://www.itu.int/ITU-D/ict/definitions/regions/index.html
Source: ITU World Telecommunication /ICT Indicators database
6. 3. E-government
Information and service
delivery
Transparency and
accountability
Link to broader
development objectives
Digital by default
7. 3.1. Supply of e-government
Benchmarking global e-government development since 2003 to
“inform and improve the understanding of policy makers’
choices to shape their e-government programs” (UN 2004)
The survey measures “the willingness and capacity of countries
to use online and mobile technology in the execution of
government functions” (UN 2010)
9. 3.3. Demand for e-government
In 1990, the American tax authority, the
IRS, said 4m people used online tax filing
(the first year such service was
available)
In 2000, the number filing their taxes
online had risen to 35m
In 2010, 100m Americans used e-file
10. Enter cyber security
An increase in
usage means an
increase in
dependency
About 75% of
organizations suffer
from a cyber
attack every year
Attacks can
compromise trust
in e-government
11. Categorizing cyber threats
Politically motivated threats:
cyber warfare, cyber terrorism, espionage and hacktivism
Non-politically motivated threats:
typically financially motivated, such as cyber crime,
intellectual property theft, and fraud, but also hacking for
fun or retribution, for example, from a disgruntled employee
12. Understanding cyber threats
“When we first started this process… agencies didn’t know
what they didn’t know.”
-Karen S. Evans
Administrator for E-Government and Information Technology
in testimony before the House Committee on Homeland
Security, February 28, 2008
What is the risk?
Is there control?
Can you live with the residual risk?
What is your response plan when services become
compromised?
13. Public sector responses
The public sector is different as it must consider, for example:
Tension between transparency and privacy
Cost optimization; agencies often only seek to meet minimum
standards
Build closer relations with other stakeholders, including the
private sector
Key performance indicators (KPIs)
But one thing remains the same: Cyber security is a global
phenomenon and a challenge for every organization. It must
be dealt with at all levels, from the international arena to the
regional, national and local levels
14. Global cyber security agenda
1. Legal measures
2. Technical and
procedural
measures
3. Organizational
structures
4. Capacity building
5. International
cooperation
15. The problem for organizational
cyber security
People!
According to the Data Breach
Investigations Report from Verizon, an
American telecommunications firm,
85% of confirmed cyber breaches were
not considered very difficult and 96%
were avoidable
More work is needed to create and
maintain comprehensive yet clearly
communicated cyber security policies
that are enforced
16. Steps towards a more resilient
organizational cyber security
strategy
1. Close the gap between IT and management
2. Improve awareness and education
3. Capture technology trends, including the
move from e-government to m-government
17. Step #1: Close the gap
between IT and management
Assess underlying factor(s), e.g. user
awareness based on an internal
survey
Translate results into KPIs, e.g.
average user awareness
Communicate key message to
management, e.g. the meaning of
score(s) and their importance
related to other issue(s)
18. Step #2: Improve awareness
and education
ICT skills divide
Governments cannot go it
alone; a role for the private
sector and NGOs
Make people SMART:
Specific
Measurable
Attainable
Relevant
Time-bound
19. Step #3: Track trends, such as
mobility
New threats: from spam to spim
and mobile malware
New challenges: insecure wireless
connections, missing (stolen)
devices, data loss, “always on”
connections
Same answers: comprehensive
and clearly communicated
policies that are measurable
20. Conclusion:
measure cyber security at all levels
Compared with just a decade ago, governments have made
significant progress in expanding ICT access
But just as crime have always been part of history, cyber
security is likely to continue well into the future, especially since
the two are increasingly intertwined
There is a demand for measurement at all levels in order to give
policy-makers and public sector managers data, tools and
benchmarks to better understand cyber security from a policy
perspective and to communicate that message
Every case is different, yet fundamentally the same