Presentation is loading. Please wait.

Presentation is loading. Please wait.

International Cyber Security Breakfast Roundtable

Published byLee Sparks Modified over 9 years ago

Similar presentations

Presentation on theme: "International Cyber Security Breakfast Roundtable"— Presentation transcript:

1 International Cyber Security Breakfast Roundtable
International Cyber Center, George Mason University September 30, 2010 Brian Sullivan Program Manager Inter-American Committee against Terrorism (CICTE) Organization of American States (OAS) A regional perspective on cyber security in the Americas: Challenges and opportunities Inter-American Committee against Terrorism (CICTE) Secretariat for Multidimensional Security Organization of American States Thanks – Dr. Arun Sood, Co-director, ICC and Joe Richardson, Senior Fellow, ICC, and long-time partner of OAS / CICTE Exciting time to be working in cyber security – certainly the case in the Americas, with significant developments over the past couple of years Credit for this goes primarily to many dedicated people working in this area in all the Member States, many of whom have committed themselves to supporting their colleagues working in other countries and in all sectors CICTE and our partners have played a modest but important supporting role in bringing about some of these developments – it’s from this perspective that I’ll speak today – about some of the challenges to enhancing cyber security that we’ve observed, and what we perceive to be some of the opportunities for overcoming these challenges and building on the progress that has been gained so far Will be brief – hit on key points – time for discussion and questions after

2 Multidimensional Security
Our Structure Deputy Secretary for Multidimensional Security To give you some context as to our place within the organization, we are situated within the OAS General Secretariat, as part of the Secretariat for Multidimensional Security, along with the Inter-American Drug Abuse Commission and Department of Public Security. Department Policy and Coordination

3 CICTE’s Mission Website: www.cicte.oas.org www.cicte.oas.org
The main purpose of the Inter-American Committee against Terrorism (CICTE) is to promote and develop cooperation among member states to prevent, combat, and eliminate terrorism, in accordance with the principles of the OAS Charter and with the Inter-American Convention against Terrorism, and with full respect for the sovereignty of states, the rule of law, and international law, including international humanitarian law, international human rights law, and international refugee law. Website: Monthly Newsletter For the sake of time I’ll spare you the history and detail of how CICTE came to be, and the entire scope of work we do on behalf of the Member States. Simply put, our mission is to promote and develop cooperation among the OAS member states to prevent, combat, and eliminate terrorism. One of the key ways in which we do this is by working with relevant authorities within the Member States to implement training and capacity-building initiatives, and technical assistance missions, as well as to develop forums for facilitating policy development.

4 OAS Comprehensive Inter-American Strategy to Combat Threats to Cyber Security
Third Regular Session of CICTE, 2003 – Cyber security and the internet constitute an emerging terrorist threat AG/RES (XXXIV-O/04) Adopted June 8, 2004 Three Mandates Working in the area of cyber security since 2003, when the Member States identified cyber security as a key aspect of critical infrastructure protection, and the targeting of computer and information networks as an emerging terrorist threat Co-panelist Michelle Markoff played a key role in getting that discussion going, and establishing cyber security as a priority on the OAS security agenda In 2004, the OAS Member States adopted the OAS Comprehensive Inter-American Strategy to Combat Threats to Cyber Security – unique regional accord that establishes specific mandates for the three OAS entities that going forward would be responsible for OAS efforts to strengthen cyber security in the Americas

5 OAS Cyber Security Mandates
Meeting of Ministers of Justice or Attorneys General of the Americas (REMJA) - Group of Experts on Cyber Crime Cyber crime and cyber security legislation Inter-American Telecommunication Commission (CITEL) Standards, technical issues, promoting a culture of cyber security awareness Inter-American Committee against Terrorism (CICTE) Support Member States in their efforts to comply with the CSIRT requirements of the OAS Strategy to Combat Threats to Cyber Security; Assist Member States to establish a national Computer Security Incident Response Team (CSIRT), with 24/7 alert, watch and warning capability; Promote the creation of a Secure Hemispheric Network of National CSIRTs, for information-sharing and coordination. The Group of Government Experts on Cyber Crime of the REMJA was mandated to address cyber crime with a focus on developing the requisite legal tools and legislative framework to protect internet users and information networks, and to assist Member States in developing necessary investigative and prosecutorial capabilities. The Inter-American Telecommunication Commission (CITEL) was mandated to promote a culture of cyber security, and to work with government and industry stakeholders on the development and implementation of cyber security standards and regulations. Finally, the mandate of the CICTE Secretariat is to promote cyber security and combat cyberterrorism by assisting Member States to develop their 24/7 watch, warning and response capabilities – namely through the creation of national / governmental Computer Security Incident Response Teams – and to facilitate the creation of a Hemispheric network of CSIRTs.

6 Challenges in the Americas
Internal Lagging cyber security awareness at the policy level Funding scarcity Absence of a national framework for cyber security / ineffective or insufficient coordination among stakeholders Lack of technical capacity Competition between government authorities / internal politics Regional Inadequate lines of communication between counterpart authorities in different countries Disparate capabilities between countries Now to get to the interesting stuff – From our vantage point working on the development of CSIRTs, there have been a number of significant and overlapping challenges – many of which continue to complicate efforts today In general I’d lump these into two groups – First, those that pertain to the creation of governmental CSIRTs with national responsibility – to borrow a term advocated by Joe, and Second, to foster increased regional cooperation and info-sharing between CSIRTs and other governmental authorities. I’d like to mention a few of what we believe to be key challenges, but this list is by no means exhaustive. From our perspective, the fundamental challenge within the OAS Member States -- indeed some more than others -- is a persistent lack of cyber security awareness at the policy and decision-making levels. To be fair, there has been tremendous improvement on this front. Nonetheless, there persists a general lack of awareness of: -specific cyber threats, particularly those that threaten key critical information infrastructures; -the potentially far-reaching consequences of a significant cyber attack or security breach (whether an act of cyber terrorism or otherwise), especially in the absence of a robust national watch, warning, response and coordination capability; -the range of cyber security stakeholders – in government, in the private sector, within society at large; -what exactly is required of the many stakeholders – in terms of resources, technical capabilities, coordination and sharing of information; -finally, and perhaps most importantly, there is the lack of awareness of the need for a national cyber security framework -- one that firmly establishes roles and responsibilities and seeks to ensure effective coordination among all the key stakeholders – especially within the government, but outside as well. This last point constitutes a significant challenge in its own right. The challenge of delineating and coordinating the roles and responsibilities of all the relevant stakeholder authorities and agencies within a country. In most of the countries in the Americas there are numerous ministries, departments, agencies, and offices engaged in one aspect or another of cyber security or cyber crime. Many of these have developed substantial – and often overlapping – capabilities. Coordinating the efforts of these different entities, getting them to communicate and share information, removing the stovepipes – these present real challenges – all the more so where there is a lack of clear direction coming from the decision-making level. This is where having a national framework or strategy for cyber security is so important - one that identifies priorities, lays out in adequate detail which authorities are responsible for what, establishes the mechanisms and procedures for ensuring both the horizontal and vertical flow of information, determines required investments, and related to this – identifies vulnerabilities and capacity-gaps and considers how best those can be addressed through cooperation and additional outside assistance – whether from a resource such as CICTE or another regional or international body, or one of the many other organizations / actors providing such assistance these days. Hopefully Joe will talk a bit more this morning about this concept of a national framework or strategy for cyber security, as it’s an area where he has been instrumental for some time – and we think it is fundamental to the discussion of developing national and regional cyber security capabilities. Beyond the issue of raising awareness and creating the policy framework, there are a host of other challenges regarding the protection of critical information infrastructures through the development of national - governmental cyber incident watch, warning and response capacity. -Determining what responsibilities a national / governmental CSIRT should take on -Which services it should provide and to who -Establishing authorities and reconciling competing or conflicting interests within government (and with other key actors in other sectors as well perhaps) -Developing the technical capabilities and capacity that an effective national / governmental CSIRT requires Obviously there will be a need for personnel with the technical knowledge and skills to staff a CSIRT, and a requirement for hardware and software. Much of this requires resources. Resources that are difficult to obtain if the policymakers approving the budgets don’t see the development of an effective national CSIRT – or even cyber security in general – as a priority. Related to all of the aforementioned are additional challenges complicating the adoption of the necessary legal and legislative frameworks, the development of law enforcement capabilities, and the development of adequate national standards. However since our colleagues in OAS / REMJA and OAS / CITEL are focused on these areas, I’ll not go into them in any detail. Turning to the regional and international levels, there are even more obstacles to contend with. The general challenge of enabling for communication and info-sharing between countries – a challenge significantly compounded by the absence of coordination and the clear establishment of cyber security-related roles and responsibilities within some countries. A perennial question – in this area, and in other security-related areas as well – is which agency or office, and which person, should I reach out to in country X if the need arises? And how should information be exchanged? Beyond that, there remains the challenge of strengthening and institutionalizing existing channels of communication between counterpart authorities or offices in different countries. How do you ensure that the line remains intact and open in the inevitable event of a turnover in personnel, due to attrition or a change in administration? Related to this, is the absence in many instances of secure lines for communicating and exchanging information related to cyber incidents or attacks – and beyond that the mutual trust that will allow for a willingness to exchange such information. We don’t think that these issues can be fully resolved government CSIRT to government CSIRT, though it would be nice if they could. They have to be addressed government to government, which for reasons I’ve already mentioned and a range of others, can pose still more challenges. Another issue when we’re talking about regional cooperation – and this can be said of cooperation on cyber security in general, though in CICTE we see this at it relates to cooperation between CSIRTs – is the significant disparities that exist between countries in the Americas in terms of their capabilities. There are the countries that currently have a designated national governmental CSIRT (14 of them to be specific) and those that don’t. But even among those that don’t there is a wide range of capabilities, between those countries that have substantial technical capacity on the cyber security and cyber crime fronts, and those that don’t yet have a dedicated office or staff with the capacity to track cyber incidents, which complicates their ability to respond to incidents or coordinate effectively with other stakeholders. These are just some of the challenges in the Hemisphere as we see them – there are obviously many more. We’ve been working in CICTE to address these challenges – at both the regional and national levels. But for the sake of time, I won’t discuss in detail how exactly we’ve been doing that. I’ve hidden a few additional slides in this presentation that will give you a sense of the kinds of capacity-building related activities that we’ve been deploying, and would be glad to discuss all of this more with anyone who is interested.

7 CICTE Efforts in Cyber Security
First (2006) and Second (2007) Hemispheric Conferences on Cyber Security and Cyber Crime – Miami, Florida Country-specific consultations and technical assistance missions Expanded partnerships with other national, regional and international organizations Since April 2006, under the leadership of the first CICTE Program Manager for cyber security, CICTE began organizing a series of Hemispheric and regional conferences on cyber security and cyber crime – in collaboration with the U.S. Secret Service, REMJA, the governments of several OAS member states, and more recently the Council of Europe. The conferences were attended by over 300 government officials – including many of you here today -- industry representatives and others, and focused both on raising awareness at the policy level, and bridging the gap between the policymakers responsible for cyber security, and the technical personnel tackling it on a daily basis. Toward this same end, CICTE conducted a series technical assistance missions and consultations with senior officials in relevant leadership positions --those capable of contributing to decision-making and the development of policies at the national level on cyber security matters. To increase the exchange of knowledge and expertise throughout the region, and internationally, we’ve worked continuously to expand our already broad network of partners.

8 CICTE Efforts in Cyber Security
Basic Courses on CSIRT Creation and Management for OAS Member States Advanced Courses on CSIRT Management for OAS Member States OAS-hosted Secure Hemispheric Network of National CSIRTs Joint OAS Hemispheric Workshop on the Development of a National Framework for Cyber Security - Rio de Janeiro, Brazil Going deeper into the technical side of incident watch, alert and response, since 2007 we’ve organized throughout the Americas a total of seven basic and advanced courses on the Creation and Management of a CSIRT. All of the 34 OAS Member States save only a few have participated in one more of these courses, which cover from the basics of how to start a CSIRT, to advanced techniques in incident response and mitigation, and information handling. We’ve trained well over 200 individuals through these courses – individuals who either staff a CSIRT or are otherwise responsible for cyber security within their government. Working with the OAS Office of Information Technology Services, we started in 2008 a first of its kind pilot Secure Hemispheric Network of CSIRTs. Since the Network’s inception as a pilot project in early 2008, its membership has expanded from five countries – Brazil, Uruguay, Costa Rica, Guatemala and Suriname – to 17 countries, and over 65 users – with these numbers growing by the day. Users can utilize the network to pose and discuss technical questions, challenges faced and best practices employed, to share materials and resources, and if they choose to do, exchange information on specific incidents. The idea, basically, is to individuals working as part of a national or governmental CIRT, or otherwise responsible for watch, alert and response, a direct and secure line of communication to their counterparts working in other countries.

9 International Cooperation and Partnerships
Very briefly – just to give you a sense of the range of partners we’re working with in the region and internationally – these are some of the organizations and authorities that have taken on leading or important supporting roles in promoting cyber security and incident management in the Americas. It’s an extensive network of partners, and one which we have leveraged to bring to bear expertise and resources to the benefit of the Member States.

10 Going Forward 2004 2009 2013 Training Courses and Exercises on Advanced CSIRT Management for OAS Member States Country-specific technical assistance missions to establish and develop a national CSIRT Cyber Security and Cyber Crime Best Practices Workshops Expand the OAS-hosted Secure Hemispheric Network of National CSIRTs VOIP, public and private web pages, repository of resources Looking forward, we will continue to provide the Member States with technical training in CSIRT operations and management; with courses aimed at increasing the technical capabilities CSIRT or would-be CSIRT personnel; We will be increasingly focused on carrying out country-specific technical assistance missions or workshops, in conjunction with some of our key partners. The general aim of these is to engage all key stakeholders within a country for an inter-active discussion to outline plans of action for the creation of a national / governmental CSIRT, and/or to outline a national cyber strategy or framework. We will continue to facilitate the sharing of experiences, information and best practices through regional workshops, and technical country-visits (for example, a delegation of officials from Ecuador visiting the U.S. to meet with their counterparts in DHS), and online training courses. Finally, we’ll also continue to work to expand and develop the OAS Secure Hemispheric Network of CSIRTs and Governmental Cyber Security Stakeholders. I’ve also hidden a few slides on this particular tool, which we’re very proud of. I’ll just say it’s a virtual platform to enable CSIRT personnel and other appropriate government officials to securely engage one-to-one or in a collective fashion, whether to discuss topics of mutual interest or cooperate in responding to a particular incident.

11 Network of National CSIRT and Cyber Security Authorities
Groove Networks Facilitates secure communications among geographically disperse teams; Data encryption (192 bits) – Security is always on – it is not optional; Information is confidential; There is no central data repository; Users decide with whom they share information; We will also be working with our partners in OAS-DOITS to expand the OAS Network of CSIRTs. Briefly, the Network as it currently stands utilizes Microsoft Groove Software, to facilitate secure communications among geographically disperse teams. It has data encryption of 192 bits, which means that Security is always on – it is not optional; The information shared within the Network is confidential. Since there is no central data repository, the OAS DOES NOT have access to the information. It is entirely up to each individual user to decide with whom they share information. All users have been officially designated by their government to participate in the Network. At this moment we have over 65 users representing 17 countries, and we anticipate that more will join soon.

12 Expanded Network Infrastructure
Public Component Introduction to each country’s national / governmental CSIRT Current documents and texts on cyber security in the Member States Cooperative agreements / arrangements within and among the Member States Relevant legislation, jurisprudence and other legal documents Electronic information bulletin Private Component Information about meetings / training opportunities Directory of national authorities Requests Questions / responses Glossary To build on this, we intend to develop an expanded network infrastructure. This will include both a public component and a private component. The public component will include: (see the list on the slide) The private component will include: (see the list on the slide) The idea behind expanding the OAS Network of CSIRTs, or better said, developing it into a multi-component platform, is to facilitate the growth of a truly Hemispheric “network” – little “n” – of individuals engaged in cyber security in all sectors. This will include government officials responsible for different aspects of cyber security, but also individuals working in the private sector, academia, and civil society. Given the nature of cyber security and the threats we all face, such an inclusive and collaborative approach couldn’t be more necessary.

13 Designated National / Governmental CSIRTs September 2010
Canada United States Venezuela Suriname Uruguay Argentina Chile Bolivia Brazil Guatemala Costa Rica The Bahamas Paraguay Dominican Republic Finally, just to wrap up on a positive note, as I mentioned at the outset there have been some very positive developments over the past few years. When we started in earnest with our program in 2006, there were 5 officially designated governmental CSIRTs. Now there are 14, and I think we may see a couple more come on-line in the near future – Antigua and Barbuda, Colombia, perhaps Mexico, Guyana A number of countries have become models for the region and the world in terms of coordinating 24/7 watch, warning and response at the national and governmental level. They have also become the leading providers of training and technical assistance to other countries in the Americas, and have been at the fore of developing a coordinated, Hemispheric approach to cyber security. In particular I should mention Brazil, Argentina, Uruguay, Suriname. Some smaller countries – Suriname, Paraguay, Costa Rica – have taken limited resources and developed effective national governmental CSIRTs. Interestingly, stemming from both countries active participation in our courses, an accord was reached between the Presidents of Uruguay and Costa Rica, to formally establish a cooperative arrangement between the two countries for strengthening their respective cyber security capabilities. So good things are happening, and we’re proud to have the chance to play a supporting role. I’ve just glossed over all of this – there are many related and additional challenges, factors, considerations. I’m glad to discuss these, or to try to answer any questions you might have.

14 Thank you Please feel free to contact us:
Brian Sullivan Program Manager George Soares Belisario Contreras Program Assistant Inter-American Committee against Terrorism 1889 F St. NW – Washington D.C. Tel Fax

Download ppt "International Cyber Security Breakfast Roundtable"

Similar presentations

Secretariat for Multidimensional Security

Secretariat for Multidimensional Security
The intersectoral approach within the OAS Inter-American Council for Integral Development (CIDI) First Meeting of Ministers and High Authorities of Social.

The intersectoral approach within the OAS Inter-American Council for Integral Development (CIDI) First Meeting of Ministers and High Authorities of Social.
CITEL September / 2009 Inter-American Telecommunication Commission.

CITEL September / 2009 Inter-American Telecommunication Commission.
Nature of the participation of the GS/OAS in the RIAC Department of Economic Development, Trade and Tourism Executive Secretariat for Integral Development.

Nature of the participation of the GS/OAS in the RIAC Department of Economic Development, Trade and Tourism Executive Secretariat for Integral Development.
March 12, 2013 Activities undertaken to facilitate the participation of civil society organizations in the OAS 2012-2013 Department of International Affairs.

March 12, 2013 Activities undertaken to facilitate the participation of civil society organizations in the OAS Department of International Affairs.
STRENGTHENING COOPERATION ON CYBER SECURITY WITHIN THE ASEAN REGION

STRENGTHENING COOPERATION ON CYBER SECURITY WITHIN THE ASEAN REGION
Philippine Cybercrime Efforts

Philippine Cybercrime Efforts
Tanzania Communications Regulatory Authority - TCRA Response to Cyber incidences in Tanzania: Where are we? Presented at Cyber Security Mini Conference.

Tanzania Communications Regulatory Authority - TCRA Response to Cyber incidences in Tanzania: Where are we? Presented at Cyber Security Mini Conference.
Counter-Terrorism Implementation Task Force (CTITF) Open Briefing to Member States 27 July 2010 Conference Room 2 NLB.

Counter-Terrorism Implementation Task Force (CTITF) Open Briefing to Member States 27 July 2010 Conference Room 2 NLB.
11 Department of Economic Development, Trade & Tourism, Tourism Office PREPARATORY MEETING TO THE XIX INTER-AMERICAN TRAVEL CONGRESS REPORT OF THE PERMANENT.

11 Department of Economic Development, Trade & Tourism, Tourism Office PREPARATORY MEETING TO THE XIX INTER-AMERICAN TRAVEL CONGRESS REPORT OF THE PERMANENT.
Model OAS General Assembly (MOAS). PURPOSE OF THE MOAS The Model OAS General Assembly (MOAS) is a program of the Organization of American States (OAS)

Model OAS General Assembly (MOAS). PURPOSE OF THE MOAS The Model OAS General Assembly (MOAS) is a program of the Organization of American States (OAS)
THE INTER-AMERICAN CONVENTION AGAINST CORRUPTION AND ITS FOLLOW-UP MECHANISM GENERAL SECRETARIAT OF THE OAS.

THE INTER-AMERICAN CONVENTION AGAINST CORRUPTION AND ITS FOLLOW-UP MECHANISM GENERAL SECRETARIAT OF THE OAS.
Program for Comprehensive Action against Antipersonnel Mines Report to the Committee on Hemispheric Security March 26, 2015 Department of Public Security.

Program for Comprehensive Action against Antipersonnel Mines Report to the Committee on Hemispheric Security March 26, 2015 Department of Public Security.
Fighting the Crime of Trafficking in Persons, especially Women, Adolescents and Children in the Americas OAS/CIM Report of Activities July 2004 – April.

Fighting the Crime of Trafficking in Persons, especially Women, Adolescents and Children in the Americas OAS/CIM Report of Activities July 2004 – April.
Meeting of the Regional Consultation Group on Migration, Regional Conference on Migration Recent Developments on the International Protection of Refugees.

Meeting of the Regional Consultation Group on Migration, Regional Conference on Migration Recent Developments on the International Protection of Refugees.
Inter-American Defense College A Confidence & Security Building Measure Inter-American Defense College Building Confidence & Security Since 1962

Inter-American Defense College A Confidence & Security Building Measure Inter-American Defense College Building Confidence & Security Since 1962
Trafficking in Persons in the Americas: Member States and OAS Efforts to Prevent it and Combat it OAS Headquarters, March 6, 2014.

Trafficking in Persons in the Americas: Member States and OAS Efforts to Prevent it and Combat it OAS Headquarters, March 6, 2014.
THE 9TH INTERNATIONAL ANTI-CORRUPTION CONFERENCE GENERAL SECRETARIAT OAS.

THE 9TH INTERNATIONAL ANTI-CORRUPTION CONFERENCE GENERAL SECRETARIAT OAS.
REPORT OF THE CHAIR AND THE TECHNICAL SECRETARIAT OF THE INTER-AMERICAN COMMITTEE ON EDUCATION (CIE) Gloria Vidal, Minister of Education, Ecuador and Chair.

REPORT OF THE CHAIR AND THE TECHNICAL SECRETARIAT OF THE INTER-AMERICAN COMMITTEE ON EDUCATION (CIE) Gloria Vidal, Minister of Education, Ecuador and Chair.
Achievements in the incorporation of OHS in Declarations and Plans of Action of the main hemispheric fora Maria Claudia Camacho Department of Social Development.

Achievements in the incorporation of OHS in Declarations and Plans of Action of the main hemispheric fora Maria Claudia Camacho Department of Social Development.

Similar presentations

Ads by Google