A Framework to Implement a National Cyber

Security Structure for Developing Nations

ID Ellefsen - iellefsen@uj.ac

.za

SH von Solms - basievs@uj.ac.z

a

Academy for Information Technology

University of Johannesburg

SACSAW '11 - ID Ellefsen & SH von Solms - University of Johannesburg2

Outline

• Introduction

• Critical Information Infrastructure Protection – Background• Protection Structures• CSIRTs• C-SAWs

• CIIP Framework for Developing Nations• Challenges• Two-Factor Development• Role of the CSIRT and C-SAW

• Stages of Development• Initial, Intermediate, Mature• Timeline

• Conclusions

SACSAW '11 - ID Ellefsen & SH von Solms - University of Johannesburg3

Introduction I

• With the growth of the Internet in developing countries there is a need to develop CIIP solutions

• Growth of Internet facilities effects all levels of society:• Cost of connection• Speed of connections• Number of users

Cable System Cost ($ million) Capacity Completion

Seacom 650 1.28 Tb/s July 2009

TEAMs 130 1.28 Tb/s September 2009

EASSy 265 4.72 Tb/s July 2010

WACS 600 5.12 Tb/s Q3 2011

ACE 700 5.12 Tb/s Q2 2012

Table: Showing various cable systems that are becoming operational since 2009

SACSAW '11 - ID Ellefsen & SH von Solms - University of Johannesburg4

Introduction II

• Developing nations are finding themselves on the receiving end of massive improvements in bandwidth

• They do not have structures in place to deal with the effects of increasing bandwidth• Distributed Denial of Service (DDoS) attacks• SPAM• Phishing• Malware

• Increasing size of the user-base.

• Users are unaware of how to deal with these new threats.

• Companies and Governments might not be aware of the possible threats to their systems.

SACSAW '11 - ID Ellefsen & SH von Solms - University of Johannesburg5

Critical Information Infrastructure Protection - Background

• The internal structures that countries have in place to prevent attacks on their information infrastructures.

• Many systems are now making use of Internet technologies• Critical Systems (Power, Water, Telecommunications, etc.)• Economic Systems (Stock Exchanges, Reserve Banks, Financial Institutions, etc.)• eServices (Tolling Systems, Online Booking Systems, etc.)

• If any of these systems were to be attacked via the Internet it would have serious implications.

• All countries need to create structures to handle possible cyber attacks.

• For often historic reasons, developing nations often have unique challenges that must be addressed in the development of these structures.

SACSAW '11 - ID Ellefsen & SH von Solms - University of Johannesburg6

Protection Structures

• The structures counties create to handle cyber security incidents.

• Computer Security Incident Response Teams (CSIRTs)• Well-understood platform• Operates within a constituency of users• Encapsulates the expertise to responding to computer security incidents• “Top-Down” by design – implemented at a governmental level.• Unique for a particular environment

• Computer Security, Advisory and Warning (C-SAW) Team• Part of continuing research• Smaller in scale to that of a CSIRT• Operates within a community of related members• Focuses the computer security expertise of the community• “Bottom-Up” by design• Interfaces with the community and a larger CSIRT

SACSAW '11 - ID Ellefsen & SH von Solms - University of Johannesburg7

A CIIP Framework for Developing Nations

• Developing nations must deploy these structures quickly• They must be customised for their environment

• Structures in Developed Countries have evolved over the past 20 years• Grown and developed with the development of technology

• Developing countries have unique challenges• Directly importing an existing structure will not effectively address these challenges• Development of a unique structure for a unique environment

• Heavily influenced by social problems

SACSAW '11 - ID Ellefsen & SH von Solms - University of Johannesburg8

Specific Challenges

• Significantly faster development of information infrastructures.

• High-levels of “cyber security illiteracy”.

• A high number of users utilising mobile technologies.

• A demand to adopt and provision eServices.

• Inadequate legislation addressing cyber security.

• Inadequate policy documentation addressing cyber security.

SACSAW '11 - ID Ellefsen & SH von Solms - University of Johannesburg

9

Two-Factor CIIP Development

• Approach the development of a holistic cyber security structure on two fronts:

• Top-Down• Large entities• Direct coordination from CSIRT

• Bottom-up• Smaller entities• Interaction with C-SAW teams

• Two structures are developed concurrently

• Resulting in a comprehensive final structure

SACSAW '11 - ID Ellefsen & SH von Solms - University of Johannesburg10

Role of the CSIRT

• To provide high-level coordination

• Bridge between government and the national computer security structure

• Focused on large roleplayers:• Governmental Entities

• Departments, Military, etc.• Large Commercial Entities

• Financial Institutions• Telecommunications• Manufacturing, etc.

• Large Academic Entities• National Research Organisations• Large Tertiary Academic Institutions

• All of these roleplayer have:• Established computer facilities• Consume large amounts of bandwidth• High number of users

SACSAW '11 - ID Ellefsen & SH von Solms - University of Johannesburg11

Role of the C-SAW

• To provide “low-level” coordination

• Bridge between small roleplayers and the national computer security structure

• Focused on small roleplayers:• Small Academic Entities

• Primary and Secondary Schools, etc.• Small Commercial Entities

• Small and Medium Enterprises• Individuals

• The “man-on-the-street”

• All of these roleplayers have:• Limited computer facilities• Consume “small” amounts of bandwidth• Relatively little collective knowledge of computer security threats

SACSAW '11 - ID Ellefsen & SH von Solms - University of Johannesburg12

Stages of Development (Framework)

• A high-level structure should developed in three stages:• Initial Stage• Intermediate Stage• Mature Stage

• Each stages consists of a number of goals that must be achieved

• Each goal allows the resulting national computer security structure to develop incrementally

• Each the actual length of each stage would depend on the environment

• Ideally would allow for rapid deployment of a national computer security structure on two fronts:• Top-down• Bottom-up

SACSAW '11 - ID Ellefsen & SH von Solms - University of Johannesburg13

Initial Stage

• Concerned with initial assessments and environmental reports

• The deployment environment must be evaluated and the following taken into consideration:• The Deployment Environment

• Critical systems• Stakeholders• Legislation• Expertise

• The Legal Environment• Current Legislation• Required amendments

• Technological Environment• Current and future technologies

• International Partners

• Finally, small-scale test deployments should be done to practically evaluate the environment

SACSAW '11 - ID Ellefsen & SH von Solms - University of Johannesburg14

Intermediate Stage

• Primarily concerned with the development of the national structures,

• CSIRT is formally created

• A number of C-SAW Teams are deployed

• Communities and Constituencies are established

• Relationships are solidified:• International• Local

• CSIRTs and C-SAWs should focus on awareness:• The national computer security structure• Computer security in general

• The development can follow directly from the initial phase.• Build on from the small-scale structure

SACSAW '11 - ID Ellefsen & SH von Solms - University of Johannesburg15

Mature Stage

• The mature stages indicates a fully functioning and operations national computer security structure

• Does not signify complete protection of critical information infrastructure• The structure is able to operate on a day-to-day basis and is able to respond to incidents

• There must be on-going development

• There must be on-going awareness campaigns

• New services that can be offered by the national computer security structure can be identified

• Education campaigns to expand local expertise.

SACSAW '11 - ID Ellefsen & SH von Solms - University of Johannesburg16

Timeline

• Ideally the development of a national computer security structure to happen quickly

• Deployment time will vary

• Commitment from all roleplayers is needed in order for the development to be successful.

• Idealised timeline (3 years) – assuming all preparation been done• Initial Phase: 8 months• Intermediate Phase: 1 ½ to 2 years• Mature Phase (development): 1 year

SACSAW '11 - ID Ellefsen & SH von Solms - University of Johannesburg

17

Framework Timeline

SACSAW '11 - ID Ellefsen & SH von Solms - University of Johannesburg18

Conclusions

• Developing counties must deploy national computer security structure

• There are many unique challenges that developing nations face

• In light of this, importing an existing structure or framework will not adequately address these challenges

• Two-factor development:• Top-down: focused on the development of a CSIRT structure• Bottom-up: focused on the development of a C-SAW structure

• Concurrent development to promote the rapid development of a comprehensive, holistic, structure.

• Questions?