Importance of Cybersecurity Strategies

This week’s reading focused on CyberSecurity and the importance of
nationalstrategies. In ITU’s report ITU National Cybersecurity Strategy Guide
written by DoctorFrederick Wamala he discusses the importance that a national
government and securityshould consider when creating their national strategy.
Cyberspace involves all of thesystems connected directly or indirectly to the
Internet while cyber security focuses on thestrategic plan to protect cyberspace
and ensure that the system continues to functionunder a threat.

According to the
guide there are 10 important elements of creating aNational Cybersecurity
Programme.The first item of the list is “Top Government Cybersecurity
Accountability”.According to the guide this element is important for a cyber
security programme has to becross- sectional across a nation. Not solely local
or national but has to cooperate under alllevels of government. They are the
ones accountable for devising a functional plan. Thesecond term on this list is
a coordinator. Like Homeland Security it is crucial that there isan office or
individual who oversees cyber security activities. Thirdly a “National
Cybersecurity Focal Point” meaning the multi- agency body is the focal point for
all of theactivities dealing with protection. Fourthly when creating a
Cybersecurity you need todesign the “Legal Measures” in which a team drafts a
policy and law procedures inresponse cybercrime. Fifth on the list is a
Framework. This is your start of the plan forwhich you state the basic elements
required in a national security. Sixthly, you need todesignate a Computer
Incident Response Team (CIRT) which is a “strategy led programmecontains
incident management capabilities with national responsibility”. They
areresponsible for coordinating responses to the stakeholders. After creating a
team you needto promote awareness and education about cybersecurity. It is
important that the nationknows and understands the importance of cyber threats.
Eighth on the list is a “Public –Private Sector Cybersecurity Partnership” for
which Government agencies shouldcollaborate with private companies such as
google. In order for a security team to be set upyou do however need to train
cybersecurity professionals. Lastly, the government needs toform “International
Cooperation” especially cause most cyber threats come from othercountries and
global cooperation is vital to additional security.If a country follows these
initial guidelines to forming and creating a NationalCybersecurity Programme,
they should soon be able to generate a national strategy planfor which they will
increase security and ensure that their nation’s cyberspace and
privateinformation is never threatened.

ICT4D: looking back

When I initially took this course, I really had no idea how technology would fit in the field of development. I remember the first class when Professor Ports asked if any of us knew about Information and Communication Technologies and I did not have a clue what she was talking about. I have never considered myself to be a very tech savvy person and my initial thoughts were that concepts from this class wouldn’t prove to be particularly vital.  Indeed, I proven wrong. We live in an extremely fast paced world that is driven by continuous technological advancements. The scope of technology and its’ applications extends across all sectors and ultimately, without a grasp on technology, one is unlikely to succeed.

Being exposed to the many real-world applications of ICT4D throughout the course is what really sparked my enthusiasm.  I was excited to see course lessons extend beyond the classroom walls and realized that the knowledge and skills gained  through this course will be applicable to any career path. It was also this class that solidified my career passions in the humanitarian sector.  Specifically, I was inspired by the ICT4D applications in disaster relief and humanitarian aid. I was amazed by the whole idea of crowd sourcing/HOSTOM and its’ ability to function efficiently in a situation when every second counts.  In addition, the experience we had working with  Geographic Information Systems gave me invaluable skills that will be extremely useful to a career in disaster management. After focusing on the humanitarian sector for my group project, I became really interested in other ICT4D applications that could bring even greater benefit! Any area of ICT4D that I feel deserves more attention is what our class recently covered in regards of cyber security. Its nearly impossible for the appropriate policies and regulations to keep up with technologies fast-pace nature. This leaves a huge gap in cyber security,  such as potential for cyber threats, and I think it is crucial that this aspect of ICT4D is  addressed as we move forward. We’ve seen endless examples of ICT4D applications bringing great benefit to the people and overall development , from advocating for human rights, ending corruption, to  e-medicine, and I’m excited for what the future of ICT4D holds.

ICT4D: course lessons

Based on our readings, lectures, guest speakers, and presentations in this course, the most salient topics for me were: the dos and don’ts of ICT4D, appropriate technologies, why ICT4D projects fail, the relevance and role of ICT4D in the major sectors of development, mapping and emergency management/ disaster relief, social media, and cyber-security. The discussions and material from these sessions will stick with me the most as I move on in development. I learned several important lessons about ICT4D that will definitely contribute to my professional career in development, including the importance of:

1)   Ensuring that projects are demand driven

2)   Using local knowledge and power

3)   Taking the local context into highest consideration: the citizens’ current lifestyle, behaviors/ tendencies, the existing infrastructure (or lack thereof), most frequently used ICTs, their motivation towards the proposed idea (which should be created mutually) etc.

4)   Ensuring that the infrastructure that is required for your project is in place or in progress (electricity, Internet, etc)

It’s also important to realize that with technology and development comes a responsibility to protect individuals in the digitized world. Cybersecurity is an essential compliment to ICT4D.

The topics that resonated most with me, and the ones that I think will be most useful to me moving forward are the implications for ICT4D in the health care sector, and the potential for mHealth, mobiles, and radios for development in general. I hope to go into the field of maternal and child health in my future, and this class exposed me to the supporting role that ICTs can play in health care, which is something I had not considered in depth before. Through research for blog posts, our second paper, and our sector projects, I uncovered some fascinating ICT4health initiatives such as the Taru Initiative radio entertainment-education campaign in Bihar, India, the WHO mCheck project for maternal and child heath, the eMocha health app for smartphones that facilitates health care in developing countries greatly, and others. My eyes are now open to many more possibilities to improve health in developing countries via ICT solutions including distance learning, radio- based health campaigns, SMS texting interventions, and many more.

The implications for social media as a platform for ICT4D also spurred an interest in me. I think it was great that we had the opportunity to work with some of these platforms such Twitter and WordPress on a regular basis. It allowed me to become more ‘digitally literate’ and gave me a hand into the ICT4D community online. Now I always know where to go to access breaking news or general information, stories of ICT4D trials and errors, and current initiatives in the particular sectors of ICT4D which are most interesting to me (namely health). Getting to do real mapping with HOSTM was also undeniably a great learning experience; it was awesome to get the chance to contribute to real ICT4D work. In addition, crowdsourcing as a platform for ICT4D was a very new and intriguing concept for me that seems to have a lot of promise in our digital world.

In my opinion, the most useful framework presented in this class was Human Centered Development. I liked the report that we read a lot and I very much agree with the project design and implementation process that it promotes. It clearly proposes needs assessments and grassroots development, which I think are essential to development projects. It supports demand driven development, considerations of local context, culture, and peoples, monitoring and evaluation, sustainable human development etc; all of which we have established as “DOs” for development. The topics covered in this class gave us a great overview of an entire field in international development. I especially enjoyed module 2 where we reviewed several case studies, because that allowed us to take broader theories and frameworks and zoom in on the specifics. I think that we touched on all the right things, and our discussions were supplemented greatly by some amazing guest speakers that we had the opportunity to hear from.

Should the Government know about Private Companies’ information security strategies?

In our class yesterday, Ralph Russo stressed the importance of understanding that no entity exists that has the authority to or even can regulate the internet. Therefore, there is the potential for many cybersecurity attacks to occur that can be, if not properly defended against, devastating to economic, political, and personal safety.

The burden of protecting sensitive information systems falls primarily upon the government; however, the private enterprises that control important services, such as power companies, health institutions, and food supply chains must also take initiative in securing their control systems because of the potential loss of business they may face due to a cybersecurity attack. In essence, both private and public entities must play an active role in defending our country against cybersecurity attacks, but the question is whether the government will require certain private companies, like utilities companies, to disclose cyber-defense strategies to the government to enhance overall national safety.

Interestingly enough, the Washington Post published an article this afternoon that reported that “[t]he White House has backed away from its push for mandatory cybersecurity standards in favor of an approach that would combine voluntary measures with incentives for companies to comply with them.” This current position is a result of the failure of bipartisanship; so many factors must be considered in a case such as this because of the freedoms and privacy rights of companies and individuals may be violated. Therefore, the White House wants to make information-sharing voluntary.

Do you think the government should be lax in its cybersecurity policies regarding private businesses that are critical to the daily functionings of American society? It seems to me that it would be in the best interest of both the government and these private businesses to share at least some basic information about the internet since separately, they are much more vulnerable to cybersecurity attacks than as part of a joint effort.

Government Employees Need to get Schooled on Cybersecurity

This week, both our classmate Annie Mellon and our guest speaker Professor Ralph Russo, briefly discussed the pressing issue of cyber security and cited examples from different security breaches including worms that invade control systems in nuclear plants to mobile applications that hijack airplanes. Russo mentioned that he fears the government does not know how to cope with many of these serious threats. After researching the matter, it turns out they don’t.

According to an article by CBS (http://goo.gl/KZd3L), no organized, across-the-board computer safety training is offered for employees even though electronic data theft from governments among other issues are unquestionably on the rise. One would think at least Wikileaks or Anonymous would be a wake-up call.

Information technology experts view training as an integral component of cybersecurity and D.C. officials admit their own employees should be more educated on computer use (yet seem to have a hard time acting on it), especially as governments face sophisticated cyber-threats such as those referenced above and as human errors have contributed (and will continue to contribute) to widespread data breaches.

While government officials have legitimate points when they argue that developing internet security through new products and tools come first, others argue that it should be the other way around. What do you all think? Should training be put on the so-called back-burner for now?

One might have to consider what Eric Chapman, deputy director of the Maryland Cybersecurity Center at the University of Maryland, has to say:

If you have one user who’s fundamentally unaware of what a spear-phishing email looks like, the entire enterprise is vulnerable

If US employees are incompetent at dealing with these rapidly emerging issues, government employees in the developing word certainly are not equipped to dealing with them. Will basic training even suffice to combat many of the issues? Hacking into the cyber space has become more sophisticatedly performed with every day. These are ill-intentioned uber-geniuses we are dealing with.

2012: The new year of cybersecurity

In this week’s lecture we discussed cyberspace and cyber security strategies.  To begin I will differentiate the two terms. According to the ITU National Cybersecurity Strategy Guide written by Dr. Frederick Wamala in 2011, the term cyberspace is used to “describe systems and services connected either directly to or indirectly to the Internet, telecommunications and computer networks”. Cybersecurity on the other hand is a term used to describe a strategy of defense that is crucial to all governments for it ensures that cyberspace (internet) continues to work efficiently and maintain social order if it is attacked unexpectedly by and external threat. Secondly I will discuss an article that illustrates the true importance of cybersecurity.

In an article 2012: Year of War Against Cyber Crime written by Arthur Coviello published in early 2012 in The Economic Times he discusses the negative side effects of a technological emerging world and how shared private information has the possibility of becoming public. In 2011 there were various attacks on large corporate companies such as Sony, Epsilon and Google in which their software information was hacked and stolen. Thus in 2012, these companies have decided to “focus on key areas of improvement and innovation”. According to the author he believes that both private and public sectors should collaborate and establish a common framework to share information. According to the article “today’s attackers are better at sharing real- time intelligence than their targets”. As ITU suggested in their guide for national strategies and similarly in the article, education and training of our cyber workforce will become the priority. It is not only important to create a government programme dedicated to cyber security but also support cyber security programmes “that graduate more individuals in computer sciences and risk assessment.” ITU suggested this national strategy plan in 2011 and this article claims that the US federal government is enforcing and renewing its cyber security workforce plans and is anticipating to spend nearly 13.5 billion on cyber security initiatives by 2015. Organizations as well will begin to change the way they incorporate security into their systems. While our society has made huge innovations in the field of technology it is vital to our well being of individuals and nations that our cyber information is protected and safe.

Thus as the article claims and ITU suggested and seems to be in the United State’s interest and future strategic plans, cybersecurity needs to be incorporated into a national programme and policy and should work along side private companies such as the one listed above to ensure full capacity security.

Does Anonymous Pose a Threat to Cybersecurity?

This week’s topic of discussion was one of my favorites by far- Cybersecurity and hacking. Before reading the two articles discussed in class, and listening to our guest lecturer Ralph Russo, professor at Tulane University in the Homeland Security Program, I was not fully educated on cybersecurity and its threat to human individuals. When thinking about ICT4D I never thought cybersecrurity and hacking would apply as greatly as it really does. What really intrigued me about Professor Russo’s talk was when he mentioned the use of applications on mobile phones, and if they are a means to promote a cyber attack. This really got me thinking, everything is run by technology: every means of transportation, food stands, banking, water industries, etc.  In connection to developing countries, not having a cybersecurity plan can be detrimental to that countries success and can lead to further impoverishment. However can hacking also be beneficial to social welfare of individuals?   In regards to hacking and cybersecurity, I recently read an Article by Dave Smith in reference to the hacktivist group  Anonymous. To learn more  about Anonymous  please read brookekania  post  Internet Hackers: Anonymous.

In brief, Anonymous  is known for hacking an array of targets such as from the internet company  GoDaddy to religious organizations to government websites,the Pentagon, and most recently Bank of America and the controversial Steubenville High School Rape Case. This year Anonymous hacked into Bank of America,  releasing up  to 16 gigabytes of information related to  Bank of America, Bloomberg, Thomson Reuters and others. This group articulated that Bank of America had employed security firms to “spy and collect information on private citizens  (Smith, 2013)”, it also was spying on social activist groups, Anonymous being one of them.  The  group also released the salaries of  top CEO’s from around the world. Although many officials say that this was a hack, Anonymous denied this accusation by having one of their subgroup representatives  identifying itself as Par:AnoIA speak in a press release stating:

“The source of this release has confirmed that the data was not acquired by a hack but because it was stored on a misconfigured server and basically open for grabs,” Par:AnoIA said. “Looking at the data it becomes clear that Bank of America, TEKSystems and others (see origins of reports) gathered information on Anonymous and other activists’ movement on various social media platforms and public Internet Relay Chat (IRC) channels (Adams, 2013).”

Additionally, the group found even more disturbing information, they discovered that the data was retrieved from an Israeli server in Tel Aviv. What is BofA’s connection with Isreal? The aim of releasing this information  was not to induce a cyber security threat on BofA. It was to inform the American people about  how corporations may be wrongfully spying on online activism that does not pose any threat impeding on individuals freedom. They also wanted to shed light on the questionable ways that BofA and other powerful corporations are funding these actions. Anonymous spokesperson stated: “We release the received files in full to raise awareness to this issue and to send a signal to corporations and Governments that this is unacceptable.” Although their actions were intended for the welfare of Americans, hacking into a bank poses serious cyber security threats to the country and its partners. Were Anonymous acts justified?

Anonymous was also in the news about their actions in the Steubenville High School Rape, where social media was used to perpetuate rape culture but also to bring light and justice to  sickening and graphic details about this controversial event. The case centered around two star high school football players and their involvement in raping an intoxicated unconscious teenage girl at a party. During the party pictures and videos  were taken of both the unconscious and the two teammates talking about their actions towards the girl. According to AlterNets’ writer  Kristen Gwynne, for months, only Alexandria Goddard of Prinniefied.com reported on the rape, where she stated that their was social media evidence (twitter, facebook, instagram) that could be linked to the perpetrators of this crime(Gwynne,2013). Her reporting drew in Anonymous and they were able to hack into these media sites where they released a disturbing video of the teenagers who performed this inhuman rape act. Through their hacking, Anonymous was able to bring justice to the victim’s family, and draw national attention to a crime that could have been easily thrown under the rocks. Although this event was not a threat to cybersecurity, it does pose a question about the privacy of the web and its monitoring. Should  social networks be monitored more heavily to prevent heinous crimes like this, and how could this be beneficial for developing countries?  From a capabilities approach, are the actions of Anonymous justified and can this hacktivist group be a catalyst for ICT4D?

 

http://www.alternet.org/how-anonymous-hacking-exposed-steubenville-high-school-rape-case

http://www.ibtimes.com/bank-america-hacked-anonymous-hackers-leak-secrets-about-executives-salaries-spy-activities-1107947

Spear Phishing Attacks South Korea

In March of this year, a  cyber attack wiped out many banks and broadcasters in South Korea. Specifically concerning about this attack was the fact that many members of the Shinhan banking network were targeted using what is known as spear phishing. Spear phishing requires prior knowledge about a specific person or group of people to be targeted and hackers send phishing e-mails to these specific people. The look-alike pages used in phishing and spear phishing can be especially worrisome due to the fact that people put their trust in a company and may blindly follow commands upon asked to change their password or something of the like.

This cyber attack was well-planned according to researchers in that hackers gained access to the organization’s computers eight months prior, monitoring the activities inside the server. Finally, malware was distributed to computers, wiping out much of the data.

These attacks are of an extremely serious nature. They allow for high return for the hacker with little traceability or chance for getting caught. The introduction of AttackKits allows for less knowledgeable hackers to conduct attacks on larger scales than otherwise possible.

Spear phishing to large organizations, or even vulnerable populations, can on any scale have detrimental effects. The freedom of the internet and the anonymity behind it has spiraled into a world of its own, allowing large amounts of data to be stolen or wiped out without even having to leave the house. This begs the question on how to protect against cyber attacks. Nation-wide implementation of cyber security should be a main priority, as cyber attacks could potentially wipe out essential information and infrastructure, leaving it at a standstill and having to start from ground zero. Policies must begin to be more stringent in this manner.

Read the article about South Korea here and here.

 

Making Cybersecurity A World Wide Issue

When we first began our discussion on cybersecurity, I was struggling to figure out the needs for such an ICT initiative in the developing nation. There is no terrorist organization or foreign entity that is going to want to cause mayhem in a developing country, because what’s the point? But then after this week’s lecture and hearing Professor Russo discuss the need for cybersecurity, I realized that protecting online information and softwares is a key component of development. With weak security on anything from banking to government files, citizens of a developing nation are finding trouble trusting their government or banks, leading to a failure with domestic investments. A lack of domestic investments further retards a developing nation’s economy, and promotes a greater divide between the developed and developing. For this reason alone, I feel that cybersecurity is a huge step towards development, and that organizations such as the EastWest Institute (EWI) are making great strides in the development of this field.

EWI is a corporation responsible for the 2009 Worldwide Security Initiative, which views the securement of cyberspace as a global challenge. The Worldwide Security Initiative formed a coalition of representatives of the world’s most digitally advanced nations, who’s aim is to “shape “rules of the road” for cyber conflict and fighting cyber crime through international cooperation.” With programs starting in India, China, and Russia, the EWI is committed to bringing cybersecurity initiatives to the developing world in order to secure cyberspace around the globe.

The video below details the aims of the Worldwide Security Initiative, and discusses the importance of why cybersecurity is truly a world wide issue. It is because programs like the EWI that gives promise to developing nation’s economies, and provides the guidance for these developing nations to accomplish these goals.

FAA Comments on In-Plane Cybersecurity

In our most recent class, the subject of cybersecurity took a particularly dramatic turn when the topic turned to in-plane security with regards to malicious software apps on smartphones.  The app in question is a particular piece of code written by Hugo Teso, a german security consultant, and unveiled at a security conference two weeks ago.  As Gizmodo, a popular gadget blog writes on the subject, the app demonstrated “could falsify data and adjust the heading, altitude, and speed of an entire airplane.”  The potential for this app are frightening indeed; that is, if the application worked as advertised.

Upon further review, the app appears to be, for the time being, unable to replicate its results on live aircraft.  The exploits appear to only be valid in the training version of the plane management software.  As the same Gizmodo article points out, the Federal Aviation Administration dismissed the application’s claims rather quickly.  The FAA contends:

[A] German information technology consultant has alleged he has detected a security issue with the Honeywell NZ-2000 Flight Management System (FMS) using only a desktop computer. The FAA has determined that the hacking technique described during a recent computer security conference does not pose a flight safety concern because it does not work on certified flight hardware.

Elaborating on why the certified flight hardware was immune to the exploit, the European Aviation Safety Administration, or EASA, reports that the training software lacks the overwriting protections that the certified software used in-flight have installed.  In short, it seems that the software was written with enough forward thinking redundancies, authenticators, and other security features that the software is ahead of the present threat.

The question remains however how the software will react in the future to these threats.  This exploit, though done as a proof of concept rather than with explicit malicious intent, nevertheless has been let out of the proverbial bag.  As planes gain wifi and other networking capabilities, how long will these current software protections be sufficient?  What this ordeal teaches us, more than that our planes are presently safe from these types of attacks, is that we must continue to develop software with forward-thinking security in order to ensure our safety in the 21st century.