Geneva, Switzerland, September 2014 Towards a partnership-based framework for secure ICT Infrastructure in developing countries Bill McCrum Senior Director, Telecom Consulting ITU Workshop on “ICT Security Standardization for Developing Countries” (Geneva, Switzerland, September 2014)

CONTENTS Overview Policy and Legislation Regulation and Enforcement Infrastructure Challenges in Developing Countries Economic Impacts of Insecure ICTs Unique Role of ITU-T Mutual Recognition Agreements (MRAs) Conclusion and Recommendations Geneva, Switzerland, September

Three Principal Component areas of a Partnership Framework Institutional  Policy  Legislation  Regulation  Enforcement Technical  Accreditation  Certification  Testing Labs  Standards Operational  Mutual Recognition Agreements Geneva, Switzerland, September

OVERVIEW Many governments have proposed and are enacting policies, legislation, regulations & strategies to secure their ICT infrastructure A partnership framework for policy, legal, regulatory and enforcement is highly desirable Today’s global ICT infrastructure is highly interdependent but with a wide variety of system suppliers and incompatible equipment Many organizations setting standards in ICT security – cooperative framework can help New frameworks needed to include all aspects from standards to compliance and best practices. Geneva, Switzerland, September

Small Sample of the Problem Hacking attacks on State entities according to a major Asian country report, now estimated at one every 30 seconds Same scale of attacks are now commonplace in most developed countries affecting State, Business and Personal activities Yahoo quote: “there are only two types of companies: the ones that have been attacked, and the ones that just don’t know it yet” “Intrusion Prevention” company reports that 100% of large Corporations investigated had active commercial espionage infections Geneva, Switzerland, September

Framework Policy Component Policies that recognize reliance on the interconnectedness of a secure global digital infrastructure for prosperity A policy of regional and global engagement on a common cybersecurity framework as an essential step in the process Interoperability identified as a top policy challenge especially in developing countries Commitment to globally accepted standards as a key policy for achievement of connectivity Geneva, Switzerland, September

Framework Legislative Component A targeted legal framework needed to prosecute offenders in e-fraud and ICT infrastructure attacks with global reach Appropriate legislation to deal with electronic offenders at all levels with a long reach Pressure groups are being formed to lobby legislative assemblies for speedy legal remedies New legislation is envisaged that would require mandated disclosure of all security incidents and fraud losses to appropriate authorities New USA Cybersecurity Information Sharing Act launched in past few weeks Geneva, Switzerland, September

Framework Regulatory Component Regulator’s interest spiked by increasingly costly and sophisticated cyber attacks ($100’s of Millns) Renewed interest by governments to audit cyber security defenses of corporations and financial institutions within a defined framework Audits should be done against defined standards, laws and regulations with global collaboration Basic principles of fair notice and due process must be respected in all jurisdictions Defensive and remedial actions against hackers must not be held hostage to partisan political agendas Geneva, Switzerland, September

Framework Enforcement Component Laws and regulations are struggling to keep pace with the volume and sophistication of attacks Enforcement must be carried out in keeping with laws, regulations and standards within an agreed framework Many countries have laws but no enforcement Others have enforcement but inadequate laws Expect enforcement agencies to increasingly hold parties responsible for the unlawful release or failure to protect sensitive information Enforcement must have global reach and be based on trusted credentials across borders Geneva, Switzerland, September

ICT Infrastructure Challenges in Developing Countries Surveys conducted by the ITU in 2011 and 2013 identified a wide range of conformance and interoperability problems in developing countries. Prominent findings in common:  Incompatibility of new equipment with legacy equipment even among equipment of same supplier – pass through services, including security, reduced to lowest common denominator  No national conformity assessment capabilities  Non-standard proprietary interface specifications and no commitment to international standards  Inadequate financial resources and expertise in country  Susceptibility to malicious and opportunistic economic cybercrime Geneva, Switzerland, September

Economic Impacts of Insecure ICT Infrastructure Significant delays in deployment of new services such as e-health, e-education, e-financial services, e-government, social networking Delayed full participation in the 21 st century digital world Result is reduced economic growth, lost opportunity and lower standards of living Concerns with QoS, security and trust in ICT infrastructure and services Problems with counterfeit products and dumping Need for institutional reforms at many levels Geneva, Switzerland, September

Unique Role of ITU The ITU-T standards development process accommodates input from every Member State of the United Nations on an equal footing This is especially important to developing countries which often cannot afford to send large delegations to standards development bodies to promote their viewpoints The ITU Bureaux offer developing countries:  Inclusion – a voice in the standards process  Training and mentoring - access to expertise  Coordination and trusted brokering of partnerships amongst Member States for support, assistance and sharing of resources Geneva, Switzerland, September

Operational Component of Framework “Mutual Recognition Agreements” Establishment and maintenance of a secure ICT infrastructure requires the following facilities:  Testing Labs, Certification and Accreditation Bodies - services potentially shared among multiple countries  Capability of assessing conformity to security standards and other standards for interoperability and regulatory compliance  MRAs can provide trusted sharing of such facilities among multiple partners based on trusted credentials  Legal and Regulatory instruments need to be in place to permit the trusted sharing required  Countries within a region sharing cultural, social and economic goals can find MRAs a very useful tool Geneva, Switzerland, September

Conclusions and Recommendations A secure ICT infrastructure is essential to economic prosperity and growth The 3 components of a partnership framework presented here must move towards convergence of principles globally to make this happen MRAs can provide a trusted partnership framework to facilitate the discussions of like- minded parties in ICT infrastructure security MRAs are now a well established instrument of cooperation and collaboration across sovereign boundaries and can be recommended for this challenge – and the ITU can help. Geneva, Switzerland, September

Geneva, Switzerland, September THANK YOU FOR YOUR ATTENTION