CTO Cyber Security Conference Key Note Address by UK Security Minister
Cybersecurity Event 2010
1. CYBERSECURITY A CTO FORUM 2010 EVENT REPORT
17 - 18 JUNE 2010, LONDON
Hosted by Organised by
COMMONWEALTH
BIS Department for Business
Innovation & Skills TELECOMMUNICATIONS
ORGANISATION
Common
Responses to
a Global Challenge
Silver Sponsor Supporting Organisations
Knowledge
Transfer
Network
CMAI REPRESENTING THE UK TECHNOLOGY INDUSTRY
Digital Systems
Media Partners
balancing act
news
AFRICA
www.cto.int
2. CYBERSECURITY FORUM 2010
EVENT REPORT
17 - 18 JUNE 2010, LONDON
Delegates participate at the CTO Cybersecurity 2010 Forum to discuss Common Responses to a Global Challenge
Executive Summary
With the exponential growth of internet, the increasing use The CTO, understanding the importance of Cybersecurity,
of electronic channels for commerce, governance and not only to its members but to the entire Global IOCT
relationship and the use of ICTs in all forms of utilities, the community, plan to repeat this event as a platform to facilitate
safety and resilience of thee channels is increasingly becoming the flow of knowledge and to build stakeholder partnerships.
a critical. Incidences of recent Cyber attacks and attempts
to breach the security of nuclear power proves how
fragile Cybersecurity is and the need to safeguard vulnerable
people, property and procedures.
The CTO’s inaugural Cyberscurity Forum was aimed at raising
awareness of key stakeholders to the need to have robust
and resilient Cybersecurity frameworks, building their capacity
to implement such frameworks and facilitating dialogue and
consultation between the stakeholders. The event held over
two days focused on the many facets of Cybersecurity including
threats against state and threats against individuals and
children together with possible responses including technical
measures, legal measure, organisational structures, capacity
building and international cooperation.
The deliberations identified the difficulties of enforcing
Cybersecurity as the perpetrators tend to move around
jurisdictions and use resources widely spread around the
world.
Amongst many useful outcomes, the key theme that emerged
during the event was the need to foster international
cooperation, in view of the ambiguities in jurisdiction, different
enforcement mechanisms, varying levels of competencies to
face to the threats, difficulty in identifying and prosecuting Hon. Maj. Gen. Madut Biar Yel, Minister of Telecommunications and Postal
perpetrators, for which the event provided an ideal platform Services, Government of Southern Sudan, Rt. Hon. Baroness Pauline Neville-
through the partnership being formed by the UK Government Jones, UK Minister of State for Security and Counter-Terrorism, and Dr. Spio-
and the CTO. Garbrah, CEO of the CTO at the CTO Cybersecurity 2010 Forum in London
2 c Commonwealth Telecommunications Organisation 2010 June 2010
3. CYBERSECURITY FORUM 2010
EVENT REPORT
17 - 18 JUNE 2010, LONDON
Background
There are over 1.8 billion Internet users globally today and Considering the importance of Cybersecurity to the orderly
social reworking has grown exponentially with Facebook and development of ICTs and the challenges faced by its members,
Twitter leading the way. The convergence between the CTO decided to contribute to the global efforts of improving
Telecom, broadcasting and IT sectors has given rise to new Cybersecurity by holding a conference where experts would
and innovative services such as IP Telephony and digital TV. share their knowledge, expertise and experiences with the
Financial services sector has benefitted from some novel delegates, paving the way for greater international cooperation,
applications of ICTs such as mobile banking and mobile harmonised Cybersecurity frameworks and joint action. The
money transfer that have broadened the reach of banking UK’s Department for Business, Innovation and Skills (BIS)
and other financial services to people who have hitherto being and the Office of Cyber Security (OCS), having recognised
marginalized. E-Government Services (E-Tax, E-Procurement, the value of the event joined the CTO to host this event on
E-Education, E-Health) are making steady progress with 17 and 18 June 2010 in London at the BIS Conference
developing countries, matching the pace of developed Centre.
countries. The degree and scale of e-enabling society has
increased the need to secure the integrity of electronic
channels and assure their due functioning. Indeed electronic Dr. Ekwow Spio-Garbrah
channels have become such a lifeline for the Governments Chief Executive Officer, CTO
and societies today; security of these channels is critical to
the very survival of countries. The relevance of ICTs to economy and governance has been
steadily growing with ICTs contributing to such diverse sectors
Communications and information services whose availability, as agriculture and health. CTO’s role had primarily been
reliability and resilience are essential to the functioning of to work with other stakeholders including international
a modern economy, collectively called Critical Information organisations in helping set up appropriate policy and regulatory
Infrastructures (CII), includes telecommunications, power frameworks using best practices worldwide as a guide.
distribution, water supply, public health services, national Cybersecurity is an integral part of the ICT world and the
defense, law enforcement, government services, and emergency CTO will play its role to promote international cooperation in
services. The World Economic Forum has estimated in 2008 Cybersecurity and to act as a platform to facilitate knowledge,
that there is a 10% to 20% probability of a major Critical expertise, technology and investments.
Information Infrastructure (CII) breakdown in the next 10
years, with a potential global economic cost of approximately
$250 billion. The US Business Roundtable in 2007 suggested Hon. Ms. Mmasekgoa Masire-Mwamba
that the economic costs of a month-long Internet disruption Deputy Secretary General, Commonwealth Secretariat
to the United States alone could be more than $200 billion.
According to an OECD report, the estimated annual loss to ICTs have a transformational role which has brought about
United States businesses caused by malware is USD 67.2 great benefits along with some undesirable side effects such
billion. The costs of a major disruption to Switzerland are as Cybercrimes. The Commonwealth governments recognising
estimated to be 1.2% of its GDP. the importance of securing the safety of the Internet, granted
a broad mandate to the Commonwealth Secretariat under
Cyber attack on the CII of Estonia in April 2007 is considered which a series of expert group meetings were held that
to be the first attack on national infrastructure. Since then culminated in a collection of model laws relating to Cybercrime
there had been several major Cyber attacks; in August and other computer related crimes. The Secretariat’s work
2008 Georgia accused Russia of attacking its government in this area includes capacity building and facilitating
websites, in December 2009 Google detected a highly cooperation between Member Countries. Harare Scheme,
sophisticated and targeted attack on their corporate facilitating cooperation in the area of criminal justice between
infrastructure originating from China and in 2008, Conficker Commonwealth countries, and the London Scheme which
surfaced which attacks Microsoft Windows operating system. deals with the penalties, are due to be reviewed at the next
meeting of Senior Officials of Law Ministers in October 2010
The ITU launched the Global Cybersecurity Agenda in 2007 and at the Commonwealth Law Ministers meeting in Australia
aimed at examining the issues surrounding Cybersecurity and in 2011.
promoting international cooperation by convening a panel of
international experts called the High Level Experts Group
(HLEG) in which the CTO also took part.
c Commonwealth Telecommunications Organisation 2010 June 2010 3
4. CYBERSECURITY FORUM 2010
EVENT REPORT
17 - 18 JUNE 2010, LONDON
Session 1
DDoS the problem? Coordinating Activity at an International Level in Response
Mr. John Crain, Senior Director, Security Stability Resiliency to Online Threats
Programme, ICANN Rt. Hon Alun Michael, MP, UK
A number of instances (Estonia in 2007, Australian Parliament Cybersecurity is primarily a people’s issue and safety on the
in 2010 etc) have been registered in the recent past of DDOS Internet requires the engagement of all stakeholders including
Attacks that use multiple hosts to focus traffic against the civil society, with cooperation taking place both
a target at a scale it cannot handle. Though there are some at national and international levels.
mechanisms to defend against low level attacks, a concerted
attack using Botnets (hijacked machines) is almost impossible Though there had been suggestions to create an international
to stop. The best option is to prevent machines from being agency for Cybersecurity, achievements up to date had been
infected by improving user awareness and computer hygiene. the result of flexible frameworks of international cooperation.
To be more effective these frameworks need to encompass
people’s representation as well.
Critical Information Infrastructure Protection: Threats &
Challenges for Developing Countries The critical need today is multilateral, multi-stakeholder
Dr. Martin Koyabe, BT partnerships that bring together the civil society on a global
scale, which is an area where the Commonwealth can play
CIIP needs to be considered from the perspective of technical a lead role.
issues (e.g increased dependencies leading to increasing
vulnerability) and actors involved (e.g. political
extremists and organised criminals). Funding, limited human Information Infrastructure Protection - Lessons from the UK
and institutional resources, technical complexities, narrow Mr. Mark Oram, Centre for the Protection of National
policy and regulatory regimes remain challenges while threats Infrastructure (CPNI)
to CII continue to grow through expansion of infrastructure
such as international cable networks, failed states and Cyber CPNI is mandated to handle national security threats and
communities. Coordination and cooperation amongst protect UK’s CII by working with the Government and the
stakeholders is the key to improving CIIP while it is also industry. It focuses on critical services determined on the
important to understand that though CIIP is expensive, failure basis of severity of impact if impaired.
to do so will be even more costly.
In these sectors CPNI addresses physical security, information
security and personnel security. In the sectors considered
How is Mobile Security Different? Attacks, risks and mitigations critical and non-critical, CPNI promotes security through
in a brave new world Information Exchanges that bring together the stakeholders
Mr. Nader Henein, Research In Motion to share learning.
There are a number of important differences in ensuring
security in Mobiles. For example if encryption is added to a Decrypting Web Proxies - Corporate Compliance or Surveillance
Blackberry the power consumption will double. Yet the growth State
of the smart phones and the fact that the largest market is Mr. RonWilliams, IBM
the public sector, makes it incumbent to ensure security on
mobile devices. Strategies to ensure security include Transport Layer security (TLS) Proxy could authenticate either
centralised management of security with strong policies, only the end point or both the end point and the server,
limiting applications on devices and Government sponsored providing security in communication between a user and a
certification regimes. server. TLS proxies have the full ability to modify and retain
information transmitted in both directions and its operations
are largely hidden from the server side.
The EESC views on Critical Information Infrastructure
Protection There are however legal and ethical implications of the use
Dr. Thomas McDonogh: European Economic and Social of TLS proxies, particularly in some untested jurisdictions.
Committee There are business risks associated with decryption technology
especially in respect of communications with third parties
EU Action Plan on CIIP is built on five pillars; preparedness such as banks, social networks and business partners.
and prevention; detection and response; mitigation and
recovery; international cooperation; and support from the ICT In that context full disclosure to end users that decrypting
sector. EESC has noted that though individual countries have web proxies are in use, is recommended while seeking approval
their own CIIP mechanisms, EU as an institution is limited in instances where the legal regimes so require.
in its responses, primarily due to lack of cooperation between
EU countries, vulnerable systems, inadequate leadership and
inadequate skill base.
4 c Commonwealth Telecommunications Organisation 2010 June 2010
5. CYBERSECURITY FORUM 2010
EVENT REPORT
17 - 18 JUNE 2010, LONDON
Session 1
Pro-active engagement with public and private sectors at the Cyber Security Forum
Protecting investors and industry - How Mauritius handles Key Note Address
Cybersecurity Rt. Hon. Baroness Pauline Neville-Jones: Minister of State
Mr. Trilok Dabeesing: Director IT, ICT Authority, Mauritius for Security and Counter-Terrorism, UK
Mauritius adopted a holistic approach in ensuring Cybersecurity Cyberspace presents vast potential and opportunities as well
as the country views ICT as a pillar of national development as threats. Interdependence in Cyberspace calls for a
and plans to make the country a regional ICT hub. convergence of public and private sectors along with the civil
society. Governance of the Cyber domain is becoming more
The country’s National Information Security Strategy Plan is democratic and accountable with ICANN and IGF providing
a part of the National Information Communication Technologies a voice for developing nations. Commonwealth has a unique
Strategic Plan for 2007 to 2011 and Mauritius has set up role among the many international initiatives and organisations
a comprehensive legal framework along with an implementation working in the field of Cybersecurity.
and institutional framework.
Rather than an international treaty on Cybersecurity, there
Enforcement has been improved with the setting up of the are a number of interventions that would make a tangible
Police Cybercrime Unit in 2000 and the Computer Emergency and positive contribution to improving Cybersecurity:
Response Team (CERT-mu) in 2008.
• Harmonising national criminal laws and developing
Mauritius plans to deploy a Content Security Monitoring frameworks for mutual legal assistance. The Council of
Solution which will filter illegal material while maintaining Europe’s Convention on Cybercrime is an example of best
quality. practice
• Building common resources to fill gaps in capabilities
Key discussion points: and skills needed to deal with Cyber threats
• Innovation should be promoted while ensuring security, • Capacity building, sharing best practices and knowledge
bearing in mind the risk of compromising security to through multilateral organisations
manage costs.
• Developing norms of behaviour internationally
• Ideally security should be built at the time of manufacturing
rather than attempting to add it later. Importantly if countries are more transparent about what
would be regarded as a real threat, this would not only lead
to the development of greater certainty about how
Cyberspace is used but, over time, could also lead to the
development of certain norms which if ignored could justify
some form of punitive action.
c Commonwealth Telecommunications Organisation 2010 June 2010 5
6. CYBERSECURITY FORUM 2010
EVENT REPORT
17 - 18 JUNE 2010, LONDON
Session 2 - Individuals/children under threat
Session chair: Mr. Richard Simpson, Canada
Protecting and Empowering Children On-Line ITU’s Child Online Protection Initiative
Mr. Will Gardner: Chief Executive Officer, Childnet, UK Ms. Cristina Buetti, Policy Analyst, ITU
Cyber bullying is becoming a critical issue though it is not COP is a global initiative created by ITU, as part of the GCA,
perceived quite as seriously as physical bullying. Inaccurate aimed at identifying risks and vulnerabilities to children in
or harmful content, access to adult websites and illegal Cyberspace; creating awareness; developing practical tools
material contribute to the dangers young people face on the to help minimize risk; and sharing knowledge and experience.
Internet. When Internet is available through mobile channels, COP conducted a Survey of 50 countries in February 2010
monitoring becomes even harder. Young people need to be which produced mixed results. Only 37 countries, which
equipped with the relevant information to enable them to constituted 58% of the Least Developing Countries, confirmed
make informed choices. In fact children need to be prepared that there are programmes within educational establishments
from a very early stage to handle the challenges of the and youth bodies, to promote the safe and responsible
Cyberworld. Moreover parents need assistance to understand use of the Internet to children and young people. Future COP
the technology, evaluate their benefits and negative effects initiatives will include raising awareness and lobbying
and be provided with strategies for safe and responsible use. telecommunications administrations around the world to
consider the allocation of the number 116111 to give access
to help lines run by organizations dedicated to the support
Protecting the Individual while Assuring Freedom of the Net and welfare of children. COP also seeks to provide assistance
Mr. Paul Hoare, Head of Operations, Serious Organised Crime to developing countries in drafting legislation together with
Agency, UK implementation guidance and promoting international
cooperation among various stakeholders.
An ICANN survey has found that 27% of domain names have
been erroneously registered and the owners of 29 Million
domain names are not known. Factors hampering the Key discussion points:
prevention of Cybercrimes include enforcement challenges
due to the involvement of multiple jurisdictions; lack of • It is important to make legislation as technology proof as
common legal definitions; and lack of accurate registration possible
processes and corruption. On a positive note social networking
sites are becoming a good resource for Law Enforcement • Jurisdiction becomes hard to define as the definition of
Authorities. Though Global consensus is emerging on certain the Cyberspace is ambiguous; is it where the servers are
issues such as child abuse, it should be broadened to cover or where the provider resides. This increases the need for
other criminal activities. cross border cooperation
• Voluntary measures may place industry in a difficult
The Internet - safety road for our children position, particularly when providing services in different
Mr. Tomasz Czajkowski: The European Economic and Social jurisdictions where a specific measure may be treated
Committee differently.
EESC Opinion issued in May 2008 finds that children face
some serious risks as active users of online technologies and
identifies a number of factors that contribute to this threat.
EESC has proposed harmonising legislation across EU Member
States which at a minimum should address what constitutes
child sexual abuse material, agree that children up to 18
should be considered for protection and to make the
possession, viewing or downloading of online child sexual
abuse material an offence which will warrant severe custodial
penalties. The programme proposed by EESC will have four
actions encouraging international cooperation as an integral
part of each of them:
• reducing illegal content and tackling harmful conduct
online
• promoting a safer online environment
• ensuring public awareness
UK Minister of State for Security and Counter-Terrorism, Rt. Hon. Baroness
• establishing a knowledge base Pauline Neville-Jones, gives a keynote address at the Cybersecurity 2010
Forum
6 c Commonwealth Telecommunications Organisation 2010 June 2010
7. CYBERSECURITY FORUM 2010
EVENT REPORT
17 - 18 JUNE 2010, LONDON
Session 3 - CERT: Successes, challenges and way forward
Chair: Mr John Harrison, WARP (Warning, Advice and Reporting Points. www.warp.gov.uk)
Global DNS CERT - Business case for collaboration in security East Africa Communications Organizations (EACO) Region
Mr. John Crain, Senior Director, Security Stability Resiliency Experience
programme, ICANN Mr. Michael Katundu, Assistant Director, Information
Technology (IT), Communications Commission of Kenya (CCK)
Growing risks such as the emergence of Conficker has made
it patent that a Global DNS CERT, with ISPs and domain The Cybersecurity Taskforce of the EACO, consisting of ICT
name registrars as primary stakeholders, is a critical need, Regulators and operators of Kenya, Tanzania, Uganda, Rwanda
to provide DNS operators and supporting organisations with and Burundi, was formed in 2008 to coordinate the
a security coordination centre with sufficient expertise and development of a Cybersecurity management framework for
resources to enable timely and efficient responses to threats the EACO region.
to the security, stability and resiliency of the DNS. Still key
questions remain such as where to house it, what should be It is tasked with facilitating the establishment of National
the model, how to finance or even whether it should be a CERTs, coordinating responses to Cybersecurity incidents at
separate agency. ICANN is seeking the inputs of stakeholders the regional level; establishing regional and international
at this stage. partnerships; and providing regional Cybersecurity Incident
Reports annually to EACO member countries.
ENISA & The CERT Community So far its achievements include forming a partnership with
Mr. Steve Purser, European Network and Information Security the ITU to deploy National Cybersecurity frameworks; capacity
Agency building workshops; and Country Assessments by the ITU-
IMPACT on the national CERT establishment needs for the
ENISA was formed in 2004 as a Centre of Expertise to support EACO member countries.
the European Commission and EU Member States and today
it facilitates the exchange of information between EU Managing Cybersecurity in the EACO region is hampered by
institutions, the public sector and the private sector. ENISA the lack of policy, legal and regulatory frameworks; lack of
supports the Member States and other stakeholders to establish national Cybersecurity management frameworks; and limited
and operate CERTs by providing help with the establishment Cybersecurity Awareness among others.
of new CERTs; identifying good practices on how to operate
CERTs; supporting training and exercises; and recommending
a set of “baseline capabilities” for national/governmental Key discussion points:
CERTs. From 2005 to 2010 the number of CERTs in EU has
grown from 8 to 16 with further 9 planned. However • It is doubtful whether developing countries would have
capabilities of national CERTs still vary widely among the the means to set up and support both a CERT and a DNS
Member States. WARPs (Warning, Advice and Reporting CERT
Points) could facilitate the exchange of security related
information and be an alternative to CERTs for small, trusted • Creating National Points of Contact and building trust
communities of users with similar levels of expertise. ENISA among them is a key to promoting international cooperation
is tasked by Commission to facilitate the Pan-European
exercise on CIIP due to be first held in 2010 in 21 member • ITU has a great role to play by setting standards in aspects
countries. of Cybersecurity such as on information and encryption.
Aims and Expectations of Gibraltar
Mr. Joseph Torres, Radiocommunications & IT Manager,
Gibraltar Regulatory Authority
Though Gibraltar’s online gambling services attract Cyber
criminals it does not have a CERT yet. The legislative framework
of Gibraltar consist of Communications Act 2006 for
Protecting the infrastructure (GRA), Data Protection Act 2004
for Protecting the privacy of the individual (GRA) and Crimes
(Computer Hacking) Act 2009 for Criminalising illicit use of
computers (Police). Gibraltar certainly needs a CERT to
coordinate resources both locally and internationally.
c Commonwealth Telecommunications Organisation 2010 June 2010 7
8. CYBERSECURITY FORUM 2010
EVENT REPORT
17 - 18 JUNE 2010, LONDON
Session 4 - Appropriate legal frameworks for Cybersecurity
Session chair: Mr. Stewart Room, Field Fisher Waterhouse
Child Abuse Images on the Internet - a Commonwealth A model legislative and regulatory framework for Cameroon
Response: Ms. Patricia Asognwe: University of Younde, Cameroon
Mr. John Carr, Secretary, UK Children's Charities' Coalition
on Internet Safety MacAfee has detected Cameroon to be the home to the world's
riskiest Internet sites which reinforces the need for legislative
The scale of offending through “Child abuse images”, (which and regulatory reform.
is the preferred term over “child pornography”), together with Cameroon needs clearly defined laws including a strong
other offenses such as grooming and Cyber bullying, deterrent for Cybercrime and must create robust and
have grown exponentially due to the growth of the Internet. interoperable laws by incorporating standard models into its
own legislation while taking in to consideration its cultural
In 1995 Interpol knew of 4,000 images globally while in diversity. Potential models include the United Nation’s
2009, one million images were being circulated, viewed and Convention On The Use Electronic Communication In
downloaded billions of times. International Contracts, and the Council of European
Convention on Cybercrime. The new law should outlaw illegal
A Global Survey in 2010 of laws relating to child pornography access, illegal interception, data interference. It also requires
found that only 34 countries out of 196, have a framework appropriate procedural laws to cover computer related crimes
of laws “deemed sufficient to combat child pornography that also addresses investigatory challenges and evidential
offenses” and 29 Commonwealth countries did not meet the issues. Some achievements so far include the Bill on
required standard. Commonwealth needs to aim for a common Cybercrimes and Cybersecurity and a draft bill
platform given the shared legal values and common legal on the protection of ICT consumers.
principles.
A working group has been proposed to take forward an initiative Sri Lankan Cyber Crimes Legislation - a Developing Country
to encourage the adoption of a legal framework to deal with perspective
online child abuse images and create a hotline to receive Mr. Jayantha Fernando: Director/ Legal Advisor, Information
reports. and Communications Authority (ICTA), Sri Lanka/Vice Chairman
ICANN – Governmental Advisory Committee
Towards a modernised Network and Information Security The Sri Lankan legal framework is built primarily around
policy for the European Union - The EU framework and its Computer Crimes Act No. 24 of 2007 that provides for the
relevance to the rest of the world identification as well as Investigation and prevention of
Mr. Andrea Glorioso, European Commission, DG INFSO Computer Crimes; Payment Devices Frauds Act No. 30 of
2006 that protects persons lawfully using payment devices,
The EU Policy Framework for Network and Information Security criminalises and prevents the possession and use of
(NIS) started with the establishment of ENISA in 2004. unauthorised or counterfeit payment devices and provides
Recent developments include the EC proposal for an Action for investigation of offences; and Penal Code (Amendment)
Plan on CIIP in March 2009 and the adoption of the European Act No. 16 of 2006 that prevents Computer based services
Digital Agenda in May 2010. being used for child exploitation. However it should be noted
that Criminal investigations may interfere with rights of
The Commission’s proposal for a modernized NIS policy, subjects, and investigators need to ensure that actions are
which is built on dialogue, partnership and empowerment justifiable and proportionate to the needs. One of the unique
through a multi-stakeholder approach, is expected in the features of investigation and enforcement is the provision to
summer of 2010. It requires service providers to prevent and designate “experts” to assist investigators.
minimise impact of security incidents, to notify security
breaches and to inform other EU authorities, ENISA and the However enforcement challenges remain, among them the
public when needed. lack of understanding by victims, enforcement authorities
and the wider legal community alike, as to what constitutes
The Commission Communication to the European Parliament, a Cybercrime, and lack of infrastructure to safeguard
COM(2009)149, sets the remit of CIIP as protecting Europe confidentiality of the victim. There are plans to establish a
from large scale Cyber attacks and disruptions including Digital Forensic Lab for the Computer Crimes Unit of Police,
natural disasters; promoting security and resilience culture set up a hotline for reporting offences and implement IT
and strategy; fostering cooperation and exchange of policy Usage and Information Securities Policies with both the
practices between EU members; and reinforcing international public sector and the private sector. The ICTA established
cooperation, amongst other things. One of the seven priority Sri Lanka’s CERT as a subsidiary in November 2006
areas for action on the Digital Agenda is enhancing trust and based on a public private partnership model. Sri Lanka is
security. considering signing the Council of Europe Convention on
Cyber Crime and promoting international dialogue by engaging
with international organisations.
8 c Commonwealth Telecommunications Organisation 2010 June 2010
9. CYBERSECURITY FORUM 2010
EVENT REPORT
17 - 18 JUNE 2010, LONDON
Session 5 - Cybersecurity through international cooperation
Session chair: Mr. Geoff Smith, BIS
Global Cybersecurity Agenda - Next Steps Strengthening Greater International Cooperation Between
Ms. Cristina Buetti: ITU Nations to Better Prevent, Defend Against Cyber Threats
Ms. Daisy Francis: Manager, International Cooperation,
WSIS entrusted ITU as the sole facilitator for WSIS Action International Multilateral Partnership Against Cyber Threats
Line C5, “Building Confidence and Security in the use of (IMPACT)
ICTs”. Both the ITU Plenipotentiary Conference in 2006 and
the ITU World Telecommunication Development Conference IMPACT brings together governments, industry and the
in 2010 have placed Cybersecurity as a priority for ITU. The academia to operationalise Cybersecurity initiatives across
ITU Secretary General created GCA in 2007 to promote ITU’s 191 Member States. It is the physical home of the
stakeholder collaboration and to avoid duplicating efforts by GCA based on a memorandum of understanding signed in
building upon five pillars legal measures; technical and 2008. So far 42 countries have agreed to receive Cybersecurity
procedural measures; organisational structures; capacity services from IMPACT. IMPACT houses the Global Response
building; and international cooperation. Since its inception Centre which is the network early warning system in
the GCA has made some significant achievements. In legal collaboration with global industry partners and
measures the ITU Toolkit for Cybercrime Legislation was Electronically Secure Collaborative Application Platform for
created along with a Guide for Developing Countries on Experts (ESCAPE). The Centre for Training & Skills
Cybercrimes. On Technical and Procedural Measures, ITU Development provides specialised training, conducts
carried out Standardization Work and created an ICT Security certification courses and operates scholarship programs.
Standards Roadmap. Under Organizational Structures ITU-
IMPACT Collaboration was formed and National CIRT
establishment was undertaken. On Capacity Building ITU A Survey of International Efforts to Combat Cybercrime
developed the National Cybersecurity/CIIP Self-Assessment Mr. Richard Simpson, Canada
Tool along with a Toolkit for Promoting a Culture of
Cybersecurity. In the field of International Cooperation, ITU Rapid growth of online threats has increased the cost to
created the High-Level Expert Group, the ITU Cybersecurity businesses and eroded trust and confidence on the Internet.
Gateway and launched COP. ITU-T’s initiatives While criminal law and law enforcement are important,
undertake security coordination both within ITU and with national and international frameworks in civil law remedies
external stakeholders; creates and updates a security are critical for the security and trust on the Internet. A multi-
compendium of approved security-related recommendations stakeholder approach is essential for developing voluntary
and definitions; and create the ICT Security Standards measures by the private sector to protect the Internet economy.
Roadmap and ITU-T Security Manual. These measures work on three tiers; law enforcement and
national security; ground rules for the Internet economy; and
private sector self-protection. The Council of Europe seeks
International & Regional Cyber Security Initiatives to harmonize national laws across signatories to the Convention
Mr. Peter Burnett: Office of Cyber Security, Cabinet Office, on Cybercrime, to facilitate international cooperation and
UK improve investigative techniques. The G8 High-Tech Crime
Sub Group is an international framework that aims to assist
The strategic objectives of the OCS are to secure the UK’s law enforcement and industry to gather information on
advantage in Cyberspace by reducing risk, exploiting criminal and terrorist acts using computer networks. An
opportunities and by improving knowledge, capabilities and example of setting ground rules for the Internet economy is
decision-making. In the international arena the OCS coordinates the OECD Policy Instruments such as the Anti-Spam toolkit
UK’s international engagement on Cyber issues, engages with of 2006. Some forms of actions are being formulated to
international partners and provides guidance on facilitate private sector self protection, such as the Messaging
international issues and acts as the contact point on Anti-Abuse Working Group (MAAWG) which produces data
international Cyber policy. The UK, through CPNI has produced on threats, identifying threats, designing ways in which private
the Telecommunications Resilience Guidance aimed at sector can respond.
securing UK’s telecom networks. It has also created the
International CIIP directory for connecting stakeholders. The In this regard the similarities of Commonwelth members,
UK has identified facilitating communication between different though on different scales, are an advantage as it facilitates
stakeholders as a critical requirement in a crisis. OCS believes action at a scale and to a depth that larger groupings are
that a multi agency approach is critical as Cybersecurity is unable to, particularly by leveraging the strengths of members
too vast an area for a single agency to handle. for the benefit of each other.
c Commonwealth Telecommunications Organisation 2010 June 2010 9
10. CYBERSECURITY FORUM 2010
EVENT REPORT
17 - 18 JUNE 2010, LONDON
Session 5
Speakers and attendees at the Cybersecurity Forum
Common Assurance Maturity Model (CAMM)
Des Ward, ISSA, Information Systems Security Association
By its very nature information needs to be shared and the Responses against common control areas provide a
challenge is managing and assuring security of third party measurement that indicates the level of maturity. A set of
access to information. ISSA proposes the Common Assurance common controls and guidance are planned to be completed
Maturity Model (CAMM) as a new approach which is built on by the 4th quarter of 2010.
existing standards that measures maturity against defined
controls areas, with particular focus on key controls. The
model is based on the individual entity setting the level of Key discussion points:
risk it is willing to tolerate and communicating that to the
business partners. Evidence of compliance is captured in a • Due to the use of proxies it is almost impossible to
central repository. The model applies existing standards to ascertain the origin of a Cyber attack
6 domains, governance, HR, IT services, physical security,
business continuity, incident management and evaluates • The better option is to address vulnerabilities than to
whether the controls are complete, essential, auditable and attempt to respond to attacks.
measurable.
10 c Commonwealth Telecommunications Organisation 2010 June 2010
11. CYBERSECURITY FORUM 2010
EVENT REPORT
17 - 18 JUNE 2010, LONDON
Session 6 - Cybersecurity through international cooperation
Session chair: Mr. Geoff Smith, BIS
Organisational capacity building
Mr. Philip Victor, Director, Training, Skills Development &
Outreach, International Multilateral Partnership Against Cyber
Threats (IMPACT)
IMPACT has identified the lack of Cybersecurity professionals Multipurpose Information Management and Exchange for
as a principal challenge. IMPACT’s Centre for Training & Robustness is another PPP sponsored by the EU which is a
Skills Development holds specialised training programs, technical platform for information exchange and supports
conducts seminars and workshops and also operates crisis management. National Computer Emergency Response
scholarship programs in partnership with global certification Team (SITIC), the Swedish national CERT, is tasked with
bodies. IMPACT Security Core is the centre of its training incident responses and proactive measures. SITIC advises
and capacity building initiatives providing both technical and and supports government agencies, regions, municipalities
managerial training which IMPACT plans to implement across and the private sector, on proactive measures in the area of
the world. So far IMPACT has held several well attended network security while also cordinating actions. SITIC is the
courses in different subjects including Network Forensics & national point of contact for international incident response
Investigation and IPv6. IMPACT also undertakes security cooperation and is a member of the European
assessment for countries of which assignments for East and Government’s CSIRT Group, and of FIRST, the Forum of
West Africa have just been concluded and at the moment it Incident Response and Security Teams, and a member of
is carrying out assessments for Nepal and Maldives. This the International Watch & Warning Network, IWWN.
activity is aimed at gauging the security status and
understanding the needs as a prelude to developing CERTs.
Fostering Collaboration in a Digital Society
Mr. Anthony Dyhouse: Digital Systems - Knowledge Transfer
National Cyber Security Management System Network, UK
Professor El Kettani Dafir, Ministry of Industry, Trade and
New Technologies, Morocco The Knowledge Transfer Network (KTN) was set up by the
Technology Strategy Board to provide a focal point for UK
Morocco is implementing a National Cybersecurity Management expertise in important future industries to facilitate knowledge
System (NCSecMS), which could become a global framework sharing and encourage collaboration as a multi-stakeholder
that will respond to the needs expressed by the GCA. partnership. Digital Systems KTN was created by the
NCSecMS has four components, the National Cybersecurity amalgamation of three KTNs in view of the need for a holistic
Framework, Maturity Model, Roles & Responsibilities and approach as a result of convergence of technology and today
the Implementation Guide. It works through five domains; comprises of the Cyber Security Programme, the Scalable
strategy and policies; implementation and organisation; Computing Programme and the Location and Timing
awareness and communication; compliance and coordination; Programme. KTN is a model for collaboration that facilitates
and evaluation & monitoring, each with a number of processes sharing knowledge, innovation and understanding by
each of which are built around applicable stakeholders such conducting events; manages funding calls; fosters special
as the Government, banking sector, citizens etc. Each process interest groups; and facilitates industry consultations.
is expected to go through a five stage maturity process,
from the initial level when the process is in a disorganised
stage to the optimizing level when the process is constantly
being improved after implementing by monitoring feedback.
In Morocco, Cybersecurity is a part of the National ICT strategy
together with a regulatory framework and the organisational
structures supported by awareness raising, communications
and capacity building.
To ensure resilience and security in e-communication networks,
a PPP challenge
Mr. Anders Johanson: Director, Network Security Department,
Swedish Post and Telecom Agency
The Swedish regulator, the Swedish Post and Telecom Agency
(PTS) facilitates PPP-projects to promote Cybersecurity to
secure vulnerable functions and in the last 8 years 300 PPP
projects have been implemented. One example is the National
Telecommunications Coordination Group (NTCG) which was
formed by the eight largest telcos and ISPs together
with other stakeholders. It supports the restoration of national Dr. Ekwow Spio-Garbrah, Chief Executive Officer, CTO and Philip Victor,
Director of Training Skills Development & Outreach, IMPACT, sign an MOU
infrastructures of ecommunications during critical disturbances. for multi-lateral co-operation against cyber crimes
c Commonwealth Telecommunications Organisation 2010 June 2010 11
12. CYBERSECURITY FORUM 2010
EVENT REPORT
17 - 18 JUNE 2010, LONDON
Session 6
Emerging Organisational Structures; an EU Perspective
Mr. Ivailo Kalfin, MEP, Committee on Industry, Research and
Energy
Cybersecurity capabilities across the European Union (EU) Three critical actions needed to assure Cybersecurity across
vary to a large degree which along with issues of financing Europe are: firstly a better understanding of the issues and
mechanisms has hampered the development of a common facets of Cybersecurity; secondly European coordination of
approach to Cybersecurity. ENISA is an instance where policies; and thirdly an EU strategy and
cooperation has produced positive results but ENISA has modalities to implement the strategy.
only a temporary mandate and it has to be renewed by the
end of 2010. The absence of a sense of permanency
contributes to the instability of the system. One challenge Intellect’s Cyber Security Programme
to formulating a Europe wide response for Cybersecurity is Mr. Charles Ward: Chief Operating Officer, Intellect
the potential conflict with national laws such as personal
data protection. Secondly EU’s inability to take Intellect is an industry association that develop new thinking,
part in international consultations as one entity, though influence policy, shape markets and improve its members’
members take part in their individual capacity, is an performance focusing on digital communications and
impediment. Encouragingly the Heads of State of the EU convergence; ID and information management; and defence
have adopted the Digital Agenda recently though the focus and security, among other areas. Intellect’s Security &
on Cybersecurity is limited. Resilience engagement map calls for linkages and coordination
between various stakeholder groups drawing on the workings
of the Defence and Security Board which has a dedicated
On another positive note EU now has an official, in the form Cyber Security Group. This group was formed in 2009 to
of Ms Neelie Kroes, Vice-President of the European provide a coherent voice for industry working in “high threat”
Commission, responsible for the Digital Agenda, whose remit areas and carries out awareness raising while contributing to
is developingdigital policies and addressing related problems. policy development.
Lack of a single organisational structure is a key impediment
to respond to Cybersecurity on a Europe-wide basis. It produces position papers on improving mechanisms for
Current practices are limited to coordination between various information sharing between Government and industry on
bodies such as the National CERTs who unfortunately have Cyber threats. Its plans for the future include creating an
varying degrees of capabilities. industry charter or a code of conduct.
12 c Commonwealth Telecommunications Organisation 2010 June 2010
13. CYBERSECURITY FORUM 2010
EVENT REPORT
17 - 18 JUNE 2010, LONDON
Session 7 - Technical responses to Cybersecurity
Session Chair: Mr Mark Carvell, BIS
An overview of the Cybersecurity Information Exchange
Framework - CYBEX
Mr. Mike Hird: BIS
The basic CYBEX model facilitates the flow of information This model facilitates service to any numbers of endpoints
from Cybersecurity Information acquisition to Cybersecurity in any combination of models or frameworks for interoperability,
Information use by structuring information; identifying and which will enable safe online transactions, better use of
discovering objects; requesting and responding with resources and enhanced user convenience, among other
information; exchanging information over networks; and benefits.
assuring Cybersecurity information exchanges. CYBEX has
the means to identify and exchange knowledge about
weaknesses, vulnerabilities and incidents and the Wireless World Research Forum - Security, Privacy, and Trust
trust assurance for information and parties involved. It will Agenda
determine Cyber-integrity of systems and services, detect Dr. Mario Hoffmann, Chair WWRF Working Group 7 “Security
and exchange incident information and provide forensics. & Trust”
Importantly CYBEX can be extended to networks, services
and platforms operating today or that may come in to being With the exponential growth of wireless devices (estimated
in future. The CYBEX Framework and some initial specifications to top 7 trillion by 2020) privacy, security and trust is
are expected to be ready by December 2010 and becoming a key challenge. In its research WWRF has identified
implementation is due by 2011-12. It is a multistakeholder the potential threats to the Application Layer,
initiative that brings together government agencies, vendors, Platforms/Middleware, Mobile Devices and Infrastructure, in
service providers and other bodies. addition to threats occurring Inter/Cross-Layer.
WWRF recommends among other things multilateral security
Harmonizing identity management, privacy and security in approach for security and risk analyses by addressing privacy,
the cloud and in the grid: Dynamic distributed key security and trust at the design stage and by taking all parties
infrastructures and dynamic identity verification of a transaction into account considering each party’s security
and authentication seamless interoperability requirements and privacy concerns and by finding a reasonable
Mr. Andre Brisson, WNLabs, Canada balance between different interests.
Dynamic identity verification and authentication allows a
choice of credential providers and can be used with any Trust, Security, and Resiliency - Empowering the Information
existing security technologies, any model or framework and Society
is scalable. In dynamic identity verification and authentication, Ms. Angela McKay, Senior Security Strategist, Microsoft
both the server and the endpoint have a copy of the account
identity management key. The server sends a request Understanding Cyber threats require understandings the many
to the endpoint for an identification token of a specific length. challenges including the varying motives and actors. Ensuring
trust in the Information Society involves addressing
The server authenticates user/device by comparing the received revocation (mechanisms for revoking claims), establishment
token to the token generated at the server for the (mechanisms to uniquely identify, authenticate, and establish
person or device. In this method cost is better managed as trust), broker-mediated disclosure (mechanisms
the requirement is simply to add an identity management enabling trusted 3rd parties to minimize data shared) and
protocol that can be called from any application at the point minimal disclosure (mechanisms to limit information revealed
of network access. The system could be extended to a wider to only what is essential for the transaction).
group by collating identities at a central location bringing
together the stakeholders from both public and private sectors. The primary aim of a strategy to assure security and trust
In a wider scenario the Government can issue all citizens a should be to reduce the potential gains of an attacker which
unique identity management key which would allow people is the base on which the Microsoft Security Development
to access all services with unique key segments without ever Lifecycle is built,where emergency responders, Government,
exhausting the key. The government could also issue master media and private sector & NGOs partner with Microsoft. Its
keys to Tier 1 communication providers which can be used contributions to the initiative including training (ex. Security
by the carriers and communications providers to issue an Cooperation Program) and Policy Guidance through the Critical
unlimited number of keys/identities to access non-government Infrastructure Partner Program.
business services.
c Commonwealth Telecommunications Organisation 2010 June 2010 13
14. CYBERSECURITY FORUM 2010
EVENT REPORT
17 - 18 JUNE 2010, LONDON
Abbreviation/Technical terms
Botnets EU
Software agents, or robots, that run autonomously and European Union
automatically
GCA
CII Global Cybersecurity Agenda
Critical Information Infrastructures
GDP
CIIP Gross Domestic Product
Critical Information Infrastructure Protection
G8
COP Group of Eight
Child Online Protection
ITU
CPNI International Telecommunications Union
Centre for Protection of National Infrastructure, UK
Malware
CERT Malicious software
Computer Emergency Readiness/Response Team
OECD
DDOS Organisation for Economic Co-operation and Development
Distributed Denial of Service attack
PPP
DNS Public Private Partnerships
Domain Name System
WSIS
EESC World Summit on the Information Society
European Economic and Social Committee
14 c Commonwealth Telecommunications Organisation 2010 June 2010