Importance of Cybersecurity Strategies

This week’s reading focused on CyberSecurity and the importance of
nationalstrategies. In ITU’s report ITU National Cybersecurity Strategy Guide
written by DoctorFrederick Wamala he discusses the importance that a national
government and securityshould consider when creating their national strategy.
Cyberspace involves all of thesystems connected directly or indirectly to the
Internet while cyber security focuses on thestrategic plan to protect cyberspace
and ensure that the system continues to functionunder a threat.

According to the
guide there are 10 important elements of creating aNational Cybersecurity
Programme.The first item of the list is “Top Government Cybersecurity
Accountability”.According to the guide this element is important for a cyber
security programme has to becross- sectional across a nation. Not solely local
or national but has to cooperate under alllevels of government. They are the
ones accountable for devising a functional plan. Thesecond term on this list is
a coordinator. Like Homeland Security it is crucial that there isan office or
individual who oversees cyber security activities. Thirdly a “National
Cybersecurity Focal Point” meaning the multi- agency body is the focal point for
all of theactivities dealing with protection. Fourthly when creating a
Cybersecurity you need todesign the “Legal Measures” in which a team drafts a
policy and law procedures inresponse cybercrime. Fifth on the list is a
Framework. This is your start of the plan forwhich you state the basic elements
required in a national security. Sixthly, you need todesignate a Computer
Incident Response Team (CIRT) which is a “strategy led programmecontains
incident management capabilities with national responsibility”. They
areresponsible for coordinating responses to the stakeholders. After creating a
team you needto promote awareness and education about cybersecurity. It is
important that the nationknows and understands the importance of cyber threats.
Eighth on the list is a “Public –Private Sector Cybersecurity Partnership” for
which Government agencies shouldcollaborate with private companies such as
google. In order for a security team to be set upyou do however need to train
cybersecurity professionals. Lastly, the government needs toform “International
Cooperation” especially cause most cyber threats come from othercountries and
global cooperation is vital to additional security.If a country follows these
initial guidelines to forming and creating a NationalCybersecurity Programme,
they should soon be able to generate a national strategy planfor which they will
increase security and ensure that their nation’s cyberspace and
privateinformation is never threatened.

Hackathons to End Corruption

Transparency International and
Random Hacks of Kindness (RHoK) have
collaborated to organize Hackathons that are aimed to challenge
anti-corruption and technology experts to work together and create
innovative solutions to corruption challenges. Corruption is an
impatient to the development process, therefore initiatives are needed
to make governments more accountable and less corrupt. This is there
ICT4D comes in. Both Transparency International and Random Hacks of
Kindness believe that technology can serves as a tool in the worldwide
fight against corruption. The hackathon relies on ‘problem statements’
from Transparency International chapters, and members of the public,
while Random Hacks of Kindness mobilizes their base of technological
do-gooders.

These are the questions that they try to tackle together:

• How can mobile technologies help us in monitoring elections across the world?
• How can we visualise and structure our research data to engage more people?
• How can we analyse public data through smart engines, or link
• databases to shed light on the misuse of public funds?
• How can we make e-solutions to prove the competitiveness of ethical
• business behaviour?

Participants include hackers, coders, programmers, designers,
do-gooders, politicians, NGOs, political theorists and everyone else
ready to make a practical contribution to stopping corruption. The
Hackathon is live-streamed over the internet to over 8 countries who
have participants working together to find innovative ways to use
technology to fight corruption.

On example of such a Hackaton was headed by Transparencia Colombia who
with RHoK in Bogota, Telefonica, Movistar, Wayra Colombia, Microsoft
and Public,  developed a web and mobile citizen tool to report
electoral advertising for 2014 elections called Participa. They also
were able to developed an online platform for tracking citizen
corruption allegations on their way through Guatemalan public offices,
illustrating that the power technology has in the efforts to fight
corruption.

Government Employees Need to get Schooled on Cybersecurity

This week, both our classmate Annie Mellon and our guest speaker Professor Ralph Russo, briefly discussed the pressing issue of cyber security and cited examples from different security breaches including worms that invade control systems in nuclear plants to mobile applications that hijack airplanes. Russo mentioned that he fears the government does not know how to cope with many of these serious threats. After researching the matter, it turns out they don’t.

According to an article by CBS (http://goo.gl/KZd3L), no organized, across-the-board computer safety training is offered for employees even though electronic data theft from governments among other issues are unquestionably on the rise. One would think at least Wikileaks or Anonymous would be a wake-up call.

Information technology experts view training as an integral component of cybersecurity and D.C. officials admit their own employees should be more educated on computer use (yet seem to have a hard time acting on it), especially as governments face sophisticated cyber-threats such as those referenced above and as human errors have contributed (and will continue to contribute) to widespread data breaches.

While government officials have legitimate points when they argue that developing internet security through new products and tools come first, others argue that it should be the other way around. What do you all think? Should training be put on the so-called back-burner for now?

One might have to consider what Eric Chapman, deputy director of the Maryland Cybersecurity Center at the University of Maryland, has to say:

If you have one user who’s fundamentally unaware of what a spear-phishing email looks like, the entire enterprise is vulnerable

If US employees are incompetent at dealing with these rapidly emerging issues, government employees in the developing word certainly are not equipped to dealing with them. Will basic training even suffice to combat many of the issues? Hacking into the cyber space has become more sophisticatedly performed with every day. These are ill-intentioned uber-geniuses we are dealing with.

2012: The new year of cybersecurity

In this week’s lecture we discussed cyberspace and cyber security strategies.  To begin I will differentiate the two terms. According to the ITU National Cybersecurity Strategy Guide written by Dr. Frederick Wamala in 2011, the term cyberspace is used to “describe systems and services connected either directly to or indirectly to the Internet, telecommunications and computer networks”. Cybersecurity on the other hand is a term used to describe a strategy of defense that is crucial to all governments for it ensures that cyberspace (internet) continues to work efficiently and maintain social order if it is attacked unexpectedly by and external threat. Secondly I will discuss an article that illustrates the true importance of cybersecurity.

In an article 2012: Year of War Against Cyber Crime written by Arthur Coviello published in early 2012 in The Economic Times he discusses the negative side effects of a technological emerging world and how shared private information has the possibility of becoming public. In 2011 there were various attacks on large corporate companies such as Sony, Epsilon and Google in which their software information was hacked and stolen. Thus in 2012, these companies have decided to “focus on key areas of improvement and innovation”. According to the author he believes that both private and public sectors should collaborate and establish a common framework to share information. According to the article “today’s attackers are better at sharing real- time intelligence than their targets”. As ITU suggested in their guide for national strategies and similarly in the article, education and training of our cyber workforce will become the priority. It is not only important to create a government programme dedicated to cyber security but also support cyber security programmes “that graduate more individuals in computer sciences and risk assessment.” ITU suggested this national strategy plan in 2011 and this article claims that the US federal government is enforcing and renewing its cyber security workforce plans and is anticipating to spend nearly 13.5 billion on cyber security initiatives by 2015. Organizations as well will begin to change the way they incorporate security into their systems. While our society has made huge innovations in the field of technology it is vital to our well being of individuals and nations that our cyber information is protected and safe.

Thus as the article claims and ITU suggested and seems to be in the United State’s interest and future strategic plans, cybersecurity needs to be incorporated into a national programme and policy and should work along side private companies such as the one listed above to ensure full capacity security.

Spear Phishing Attacks South Korea

In March of this year, a  cyber attack wiped out many banks and broadcasters in South Korea. Specifically concerning about this attack was the fact that many members of the Shinhan banking network were targeted using what is known as spear phishing. Spear phishing requires prior knowledge about a specific person or group of people to be targeted and hackers send phishing e-mails to these specific people. The look-alike pages used in phishing and spear phishing can be especially worrisome due to the fact that people put their trust in a company and may blindly follow commands upon asked to change their password or something of the like.

This cyber attack was well-planned according to researchers in that hackers gained access to the organization’s computers eight months prior, monitoring the activities inside the server. Finally, malware was distributed to computers, wiping out much of the data.

These attacks are of an extremely serious nature. They allow for high return for the hacker with little traceability or chance for getting caught. The introduction of AttackKits allows for less knowledgeable hackers to conduct attacks on larger scales than otherwise possible.

Spear phishing to large organizations, or even vulnerable populations, can on any scale have detrimental effects. The freedom of the internet and the anonymity behind it has spiraled into a world of its own, allowing large amounts of data to be stolen or wiped out without even having to leave the house. This begs the question on how to protect against cyber attacks. Nation-wide implementation of cyber security should be a main priority, as cyber attacks could potentially wipe out essential information and infrastructure, leaving it at a standstill and having to start from ground zero. Policies must begin to be more stringent in this manner.

Read the article about South Korea here and here.

 

Cyber Security Abroad

After listening to a great presentation on cyber security and its importance as well as risks, I became interested in how other nations treat cyber security and if America is giving advice. I stumbled onto an article that talked about how foreign allies of America need to start stepping up their cyber security as they are “equally mobile and even more vulnerable” than America. Many times in developing nations cyber security is an after thought, second to mobile networking and focus on economic growth. The senior adviser for the department’s Office of the Cyber Coordinator Thomas Duke stated that ”due diligence” is a top priority for America and we will start helping developing nations to increase their communications infrastructure. Nations such as India, South Africa, and other developing but prominent countries can be threats to themselves and their global interconnected networks. An example of this is when the South African governments twitter feed was hacked (@StateSecurityRS) and started to advertise a diet regime.

Many developing nations in Africa do not have the skills or are not willing to protect them selves from cyber crimes. The US government has started to engage with South Africa, India, Brazil, and other nations in creating ground rules upon what is acceptable and what is not in relation to cyber security and attacks. As Duke states, “Those are countries that are leaders of the developing world and countries where we think it is very important to identify the things that we agree upon and don’t agree upon”. Cyber security is becoming a big issue globally and will likely continue to do so until all nations tighten up their security or create a stronger set of guidelines.

US-Israeli Stuxnet Cyber-attacks against Iran: info and implications

Our guest speaker in class today, Professor Ralph Russo, briefly discussed the US-Israeli Stuxnet Cyber-attacks against Iran. With the topic of class this week being cybersecurity, I think that a deeper look into this event is warranted.

In 2009-2010, the US (in collaboration with Israel) used malware, specifically a Stuxnet worm, to invade the control systems in an Iranian nuclear plant so that it’s centrifuges would spin at incorrect rates. Iran’s Natanz uranium enrichment facility was the specific target. This cyber-attack successfully caused major technical problems with the centrifuges at this site and stalled nuclear production in Iran.

The cyber-attack qualifies as “an act of force” using “cyber weapons” under the Tallinn Manual on the International Law Applicable to Cyber Warfare, which states: “acts that kill or injure persons or destroy or damage objects are unambiguously uses of force” (A). This event is also widely acclaimed (by Professor Russo and other professionals) as “an act of war.”

Obama recently stated in an article in the Wall Street Journal: “cyber threat to our nation is one of the most serious economic and national security challenges we face” (B). On the same note, just two weeks ago, the president of Estonia stated in the New York Times: “In a modern digitalized world it is possible to paralyze a country without attacking its defense forces” (C). In other words a country can virtually be brought to a halt by cyber-attack.

Clearly, the world understands the potential devastating outcomes of a cyber-attack as one of the most serious threats to a country, its economy, public health system, safety, etc. So was the US cyber-attack against Iran warranted? Are we promoting the ‘use’ of cyber-attacks by carrying them out ourselves, even if the intention of the cyber-attack against Iran was (arguably) harm reduction, disaster mitigation, or self-defense? Are we just asking for/ should we expect a strike back from Iran now that we’ve initiated this cyber-war? Professor Russo argues that we can’t really complain when Iran turns around and does something like this to us, and I have to agree with him.

Sources: A, B, C

Kenya Launches National Cyber Security Strategy and Master Plan

The arrival of extensive undersea fibre optic cables in mid-2009 have spurred a major ICT revolution in East Africa with Kenya in the lead and Tanzania following close behind. The transition to broadband has spurred rapid growth in the number of Internet users and increased access for many to cheap Smartphones. Kenya has also been able to achieve faster broadband connection than their counterpart in South Africa. IBM even chose Nairobi for its first African Research Lab.

So, what does all this rapid progress mean for exposure to cyber attacks? More is at stake.

Cyber attacks could be devastating to a developing country on the path to a better future like Kenya. With the ever-increasing reliance upon and use of ICTs to enable more development, comes greater risk. Security problems like the defacement of government websites offering important services as well as attacks on the Banking sector, plus many others can be devastating in developing countries. “The use of ICT in many industries means that national infrastructure such as water companies, power infrastructure, banking and payments are exposed to ICT threats.” (Dennis Mbuvi, CIO/East Africa)  For these reasons, Kenya just recently launched a National Cyber Security Strategy and Master Plan in February of this year:

• In a nutshell, the Strategy will enable the government, private sector and Chief Security Officer to “[come] up with a national cyber security assets inventory and [establish] approved cyber security vendors.” (Mbuvi)
• A data protection bill is also in the draft
• a consultant behind the plan, Tyrus Kamau, says ”that its implementation will see better cyber security in the country, which will in turn lead to confidence in electronic transactions, resulting to economic growth. The move will also ensure confidence as the government rolls out various eGovernment services.” (Mbuvi)

Since I wrote my paper on the role of eGovernment in Tanzania, especially with regards to its role in establishing trust among citizens, I see huge potential in the implementation of a policy like this, especially in the rapidly developing ICT sectors in East Africa. I also think it’s interesting how what Kamau said is clearly where the benefits of employing an early plan for cyber security can be seen in developing versus developed countries.  In countries like Kenya and Tanzania there is the need to establish  trust and confidence from consumers who have been living for so long without these services, whereas in more developed countries like the U.S., the biggest threats are less of a concern to the public who is generally unaware so far of their [cyber attacks'] potential consequences. In my opinion it speaks volumes on the need for both developed and developing countries to establish comprehensive plans because regardless of their development levels, cyber threats/attacks can be detrimental to both of their economies, peoples’ livelihoods and overall safety.

Your Social Media: A Matter of National Cyber Security?

The Cyber Intelligence Sharing and Protection Act (CISPA) is a bill that would allow private companies such as Facebook, Twitter, and Google to share user information with the federal government without a warrant. To many this seems like complete breach of privacy but in reality it could soon be law. On Thursday US House of Representatives approved CISPA , but it is still unclear how the senate will vote.

So, what exactly does the government get to see and why do they want to see it in the first place?  To answer the first question, CISPA allows the government to ask communication providers like Facebook or Twitter to provide personal information if they think it pertains to a cyber security attack. Facebook and Twitter could also give information to the government if they notice suspicious behavior on their sites. The problem is that the wording of CISPA is very vague and as a result many privacy activists feel that it gives the government power to see way too much. According the Electronic Frontier Foundation, the bill is worded so that communications providers could share anyone’s emails, text messages, or files stored on clouds with the government. This gives communication providers a lot of power since they are the ones who ultimately choose what the government gets.

However, those in support of the bill maintain that CISPA is necessary to protect national cyber security, especially because they believe that cyber attacks from countries like China and Iran are becoming more likely. The author of the bill, Rep. Mike Rogers (R-Mich.) says that “this is not a surveillance bill,” meaning that the goal of the bill is not for the government to monitor domestic social networks but rather for the government to respond more quickly to potential cyber security threats.

Currently, President Obama is prepared to veto the bill unless some significant changes are made. He is worried that this bill oversteps civilian privacy rights too. I personally think that communication providers should be allowed to share information with the government but only if they have some sort of evidence. Just like I wouldn’t want the police barging into my house without a warrant, I don’t want the government to have access to all of my most personal emails and texts without cause.

CISPA: Internet Privacy v. Cyber Security

Last July, President Barack Obama published a Wall Street Journal article detailing his stance on cyber security. The President emphasized that the vast majority of our country, from food delivery to transportation to national defense, is operated through the cyber world. This article calls for legislative action to enhance cyber security. In order for this to happen, companies and the government need to be able to share information regarding cyber attacks so that speedy recovery and future prevention is easier to achieve. However, the President is careful to include the importance of individual privacy, and that any cyber security law needs to include proper protections against inappropriate usage of personal information.

In February 2013, he signed an executive order which seeks to address this topic. The order is not law, but encourages government agencies to share information on cyber attacks with the private sector in order for them to be able to cater their security towards existing and prevalent threats. It also asks the National Institute of Standards and Technology (NIST) to establish a set of cyber security standards to provide guidelines to companies.

The Cyber Intelligence Sharing and Protection Act (CISPA), which was passed by the House of Representatives this past Thursday (April 18, 2013) and is outlined in this article, however, allows information sharing to flow not only from the government to companies but also from the private sector to government agencies. This would allow the government to aid companies in strengthening their cyber security systems, as well as pick up leads on hackers. Privacy advocacy groups and the White House, however, have had problems with the language of the bill. CISPA overrules existing federal and state law, making it okay for companies to share costumer information with the government without legal liability. President Obama has already promised to veto CISPA on the grounds that it does not adequately address privacy concerns. Ideally, legislation will come to the table that enacts the sentiment of Obama’s executive order and CISPA, but with provisions for the blocking of sharing explicitly personal content.