View
368
Download
0
Category
Tags:
Preview:
Citation preview
Workshop onManaging Risks in an Interdependent Economy
Risks related to Cyberspace
Som Mittal Former President & Chairman, NASSCOM, India
Sept 27 , 2014
A Global and Interdependent World
Digital Connectivity Growing Rapidly
3Source: Open.edu
Every Advancement brings New Risks
Advancements Associated Risks
Increased air travel / Commutation
Nuclear Plants
Seamless communication and
interconnected devices
Digital Age
Accidents & Disasters , Pollution
Contamination / Nuclear Weapons
Increased global risks
Cyber crimes / warfare
The only solution is to find ways to mitigate
Global Risk Landscape – Systemic Risks
Economic Risks
Source: World Economic Forum Global Risk Report 2014
Cybersecurity.mp4
Courtesy: Microsoft – Europe
Societal Risks
Geopolitical Risks Environmental Risks
Technological Risks
Source: WEF
Global Risk Landscape – Impact & likelihood
Critical info Loss
Cyber frauds
Cyber attacks
Major Global Risks 2014
Likelihood Impact
Source: World Economic Forum Global Risk Report 2014
Income Disparity
Extreme weather events
Unemployment & Underemployment
Climate change
Cyber attacks
Climate change
Fiscal crisis
Water Crises
Critical information Infra Breakdown
Unemployment & Underemployment
Cyber Risks in the Fifth Domain
Ever Expanding ~ ( IoT, SMAC)
Vulnerabilities in all platforms Knowledge about vulnerabilities available openly
Attacks from anywhere; cheap to launch Defense expensive;
Attribution difficult
Everything that is connected to the Internet can be hacked, and everything is being connected to the Internet - Rod Beckstrom, former president, ICANN
Offense dominant Global commons
8
Cyber Risks are Real and Happening Today
Cybercrimes
Cyber attacks
Cyber espionage
Cyber warfare
Harmful Content
• Economic, military ,state secrets theft on rise, Annual loss of IPR is over $ 1 trillion
• US government filed case against 5 Chinese army personnel for stealing trade secrets of large US companies
• Cyber attacks on Estonia, Georgia, South Korea and others• Non-state actors used for specific aims, Global crime syndicates etc • Nation-states developing offensive capabilities, Stuxnet , Flame etc
• Used for demagoguery, - fight against states on issues, even organize revolutions - Arab Spring
• Mass migration of people from the south to the northeast of India, London riots
• Financial frauds, identity thefts, copyright and trademark violations• McAfee estimates cybercrimes costs businesses $ 400 billion worldwide
•NASA, RSA,CIA, Sony, Lockheed, Pentagon, Google,Citigroup attacked •Target; 1.2 bn usernames and passwords stole•Cyber attacks on critical information infrastructure e.g. Stuxnet infections
• CSIS puts the annual global cost of digital crime and Intellectual property theft at $445 billion
• Corporates spent $67 billion on information security last year .
• Destruction in 2010 of centrifuges at a nuclear facility in Iran by Stuxnet and the one in 2012 dealing with virus known as Shamoon.
• Last year over 800m records lost . Most prominent Target, whose CEO, Gregg Steinhafel quit in may . Adobe and eBay also hit
• Barack Obama, accepted that cyberthreats “pose one of the gravest national-security dangers” the country is facing.
Source: The Economist
Cyber Risks are Expensive
Cyber Risks cause Reputational Damage
Recent iCloud cyber attack leaked nude photos of more than 100 celebrities -- Jennifer Lawrence, Kate Upton, Ariana Grande and Victoria Justice, to name a few .
iCloud Hacked
Target to book $148 million in data breach expenses
Cisco CEO writes letter to Obama asking him to stop the NSA hacking into his equipment
Cyber attack on EBay compromised customer data, and the company urged 145 million users to change their passwords.
Adobe hack attack affected 38 million accounts.
Hacking group Rex Mundi held Domino’s Pizza to ransom over 600,000 Belgian and French customer records demanding $40,000 in return.
Politicization of Cyberspace – Strategic Issues Internet Governance
Strategic advantage of few countries controlling Data
Control of critical Internet resources
Rise of powerful transnational institutions - new models of governance?
Debate on human rights and freedom of expression versus content control
Cyber Security / National Security
Vulnerabilities in critical national assets; Impact on National Security
ICT Supply Chain Risks; interference in ICT supply chains; backdoors
Localization of ICT Infrastructure for national security and privacy protection reasons
120+ military intelligence agencies believed to be developing offensive cyber capabilities
Shortage of security talent; lack of capacity building efforts
Lack of information sharing - government to business and business to business
Lack of global cooperation; Existing instruments not effective
Privacy
Surveillance by foreign governments
Restrictions on trans-border data flows for privacy protection
These have to be addressed
How do we mitigate these risks ?
This has to be done at multiple levels
• Individual
• Technology users
• Technology providers
• Government
• Global cooperation
Cyber Security – Individual Role
• Poor awareness of risks, legal rights and legal obligations
• Non Seriousness
• Behavioral Inconsistencies
• Poor spending on genuine software, security solutions
Issues & Challenges Possible Solutions
• Being vigilant; Take the threats seriously; Follow guidelines
• Make investments to buy genuine software and security solutions
• Be aware of legal rights and obligations
14
Cyber Security – Role of User Industry
• Security not priority in procurement
• Lack of understanding of issues and management support
• Compliance driven approach & practices; Security treated as a cost center
• Non seriousness of employees
• Lack of Information sharing with peers and government/regulator
Issues and Challenges Possible Solutions
• Focusing on ICT Supply Chain practices across the product or service lifecycle; demanding security
• Making security as a Board agenda; Treating security as a business enabler
• Taking risk based approach to security
• Establishing ownership and accountability of stakeholders
• Continuous efforts to make employees aware on their role and risks
• Creation of institutional mechanisms for industry level information sharing
15
Cyber Security – Role of Technology Providers
• Few companies proactive in embedding security in design – investments in secure code development missing
• Demand based security instead of being a hygiene / assurance factor
• Lack of focus on threat intelligence and vulnerability management
• Shortage of security talent
Issues and Challenges Possible Solutions
• Implement ICT Supply Chain standards and best practices; Deploy secure coding practices
• Treat security as on ongoing activity rather a one time implementation
• Invest in threat intelligence and vulnerability management capabilities
• Invest in capacity building
16
Issues and Challenges
• Absence of a comprehensive framework to deal with cyber security
• Role of government in cyber security not clear – regulation v/s market driven; PPP?
• Lack of capabilities and skills
- Absence of intelligence and information sharing mechanism.
- Lack of training and knowledge available to LEA and judiciary
Cyber Security – Government
Possible Solutions• Recognize cyber security as a
strategic domain of national security; Implement a robust national cyber security framework driven by a national cyber security structure
• Define and leverage PPP models
• Promote research & development, innovation, investments and entrepreneurship
• Focus on building capabilities and skills – create CoEs, institutions, platforms, etc
Issues and Challenges
• Lack of International cooperation & norms to address cyber security requirements
• Absence of international cooperation across jurisdictions to track cyber criminals
• Existing instruments (e.g. Budapest convention, MLATs, not effective)
Cyber Security – Global Cooperation
Possible Solutions
• Development of acceptable global norms
• International Clearing House for critical infrastructure information
• Early Watch and Warning Global System
• Review existing int’l instruments to make them relevant; increase acceptance esp. in developing countries
Thank You
19
20
Cybersecurity - A Global Problem - Needs Collaboration at all ends
National Nodal Centres on information infrastructure in Public-Private-Partnership (PPP) Mode should cooperate
Global Service Providers to cooperate with LEA in all countries and respond to their requests for investigations
CERTs to exchange threats and vulnerabilities data in an open way to build an Early Watch and Warning System
Incident Management: Information sharing among agencies on incidents - to build an International Incident Response System
Critical Infrastructure Protection An international Clearing House for Critical Infrastructure Protection – to share threats, vulnerabilities, attack vectors
Sharing and deployment of security best practices for cybersecurity
Acceptable legal norms for dealing with cyber crimes regarding territorial jurisdiction, sovereign responsibility, and use of force; investigation and prosecution of cyber crimes; data preservation, protection, and privacy.; and address enforcement provisions in the current cyber laws.
Implementation of reasonable security practices; privacy protection; incident response; transnational cooperation.
Law Enforcement Agencies (LEA): Investigation of cases, collection of forensics evidence at the behest of other countries, conducting trial of elements involved in cyber criminal gangs to bring them to justice
Cyber Security
Risks
Political
Military
Societal
Legal
Economic
Business
Securitization of Cyberspace – Relevant Risks
Computer Security Cyber Security National Security
Recommended