the national cyber security strategy and action plan a presentation by ms. antoinette lucas-andrews...
TRANSCRIPT
The National Cyber Security Strategy and
Action Plan
A presentation by Ms. Antoinette Lucas-Andrews
Director, International AffairsMinistry of National Security
ITM4D MeetingTobago
July 11 2014
◦ BACKGROUND The ICT and Cyber Security Landscape in
Trinidad and Tobago
◦ APPROACH TO STRATEGY DEVELOPMENT
◦ ELEMENTS OF THE NATIONAL CYBER SECURITY STRATEGY Governance Incident Management Culture Collaboration Legislation
◦ IMPLEMENTATION OF ACTION PLAN
FORMAT OF PRESENTATION
Mobile phone users: 1,944,000 Mobile penetration 146% (Dec
2013)Internet household penetration:
54.2% Fixed Broadband Internet
subscriptions: 232,000Mobile Internet penetration: 33.9%
(Source: TATT, Quarterly Market Update, Q4 2013)
Network Readiness Index: 71 out of 148 countries (Source: WEF Global Information Technology Report 2014)
ICT Landscape in Trinidad and Tobago
Cyber bullying Unauthorised access:
Government websites defaced / hacked
Data Leaks Skimming Spam, Phishing Scams,
Malware
THE ICT LANDSCAPE IN TRINIDAD AND TOBAGO
APPROACH TO STRATEGY DEVELOPMENT
Cyber attacks growing in sophistication, frequency and gravity, globally
Impact difficult to quantify as victims very often fail to report incidents
Threats lurking in cyberspace from the general community (unseen)
Lack of coordinated efforts to address cyber security and secure information infrastructure
No comprehensive legislative framework
Inadequate technical expertise
THE PROBLEM
Establishment of Inter-Ministerial Committee
Political endorsement at the highest level
Clearly defined mandate
Projectized and of specific duration
Inclusive of Government Ministries and Agencies, Telecomm Regulator and National ICT Company
Power to co-opt private sector representatives when necessary
THE SOLUTION: A Coordinated Approach
THE ACHIEVEMENTS
Developed and obtained approval for National Cyber Security Strategy (December 2012).
Developed and obtained approval for a National Cybercrime Policy (February 2013).
Developed and obtained approval for the establishment of a Cyber Security Agency (August 2013). A Bill to establish same is currently before Parliament
Obtained approval for technical assistance from the International Telecommunication Union for the establishment of a CSIRT (September 2013)
Coordinated the work of a HIPCAR Consultant which resulted in the development of a Draft Cybercrime Bill, currently before Parliament .
Accessed capacity building and training for government stakeholders (OAS/CICTE, HIPCAR and CCI).
The creation of a secure and resilient cyber environment, based on collaboration among all key stakeholders, which allows for the exploitation of ICT for the benefit and prosperity of all.
THE STRATEGIC VISION
National Cyber Security Strategy: Objectives
To create a secure digital environment;
To provide a governance framework for all cyber security matters;
To protect the physical, virtual and intellectual assets of citizens, organizations and the State;
To ensure the safety of all citizens by promoting awareness and mitigation of cyber risks;
To protect critical infrastructure and secure information networks;
To minimize damage and recovery times ; and
To create the appropriate legal and regulatory framework
Governance
Incident Managemen
t
Culture Collaboration
Legislation
The National Cyber Security Strategy: Focus Areas
Establishment of a Trinidad and Tobago
Cyber Security Agency via legislation
GOVERNANCE NPC for all cyber security
related matters Implementation and
updating of Strategy; Situational awareness; efficient government-wide
Network and Information security management;
Risk assessment activities, studies on IT security management solutions;
Standards on network and information security
Accreditation and certification
National Cyber Security Contingency Plan
Formulate principles for the guidance of the public and private sector concerning ICT security measures;
Refer such matters to the Trinidad and Tobago Police Service as necessary when an offence under the Cybercrime Act comes to its knowledge;
Undertake such other activities as are necessary or expedient for giving full effect to the Cybercrime Act;
Enter into Memoranda of Understandings with key stakeholders and partners as necessary to execute its function.
AUTHORITY OF THE TTCSA
INCIDENT RESPONSE
Establishment of a Computer Security Incident Response Team
The first point of contact to address cyber incidents that may affect national critical
information infrastructure
– detection, tracking, mitigation
Alerts and warnings
-a part of hemispheric and international network of CSIRTS
RESPONSIBILITIES OF THE CSIRT
Provide incident response and management services
Provide alerts and warnings on the latest cyber threats and vulnerabilities
Assess and analyse the impact of incidents
Establish internal and joint procedures between the public and private sectors to manage the incidents and mitigate the threats associated with them
Provide appropriate strategic insights to policy and decision-makers to strengthen the national cyber infrastructure
Assess the work of incident response teams within the public and private sector
COLLABORATION
National Collaboration International Collaboration
Government
Private Sector
Civil Society
Academia T&T
OAS
UN
CCI
ITU
Multi-disciplinary and multi-stakeholder approach
Promote awareness of risks at all levels
Embedding cyber security in wider aspects of policy formulation
Certification programs through public and private education institutions
Research and development
CULTURE
• Criminalization of offences related to computer crime and cybercrime
• Institution of investigation mechanisms
• Use of electronic evidence in prosecution
• Creation of an environment that defines the obligations and restricts the liability of ISPsLEGISLATION: FOCUS
LEGISLATION – PURPOSE Prevention, investigation, prosecution and
sentencing of computer crime and cybercrime in Trinidad and Tobago
Conformity with the international endeavour to fight transnational computer crime and cybercrime
Repeal of the Computer Misuse Act (2000)
and replace with the Cybercrime Act
LEGISLATION: PROCESSA. Review of existing national legislation:
◦ Anti-Terrorism Act (as amended), 2005 ◦ Computer Misuse Act, 2000 ◦ Children's Act (as amended), Chap 46:01 ◦ Electronic Transfer of Funds Crime Act, 2000 ◦ Evidence Act (Section 14B)◦ Extradition (Commonwealth and Foreign Territories)Act, 1985 ◦ Financial Intelligence Unit of Trinidad and Tobago Act, 2009◦ Interception of Communications Act, 2010 ◦ Mutual Assistance in Criminal Matters Act (as amended)◦ Offences Against the Persons Act, Chap 11:08 (Section 30A)
◦ Proceeds of Crime Act, Chapter 11:27◦ Telecommunications Act (as amended), Chap 47:31
LEGISLATION: PROCESS
B. Comparative Study conducted in conjunction with HIPCAR Consultant
Commonwealth Model Law Budapest Convention HIPCAR Cybercrime Model Policy Guidelines and Legislative
Text Legislation from other Countries: US, Philippines,
Dominican Republic Jamaica, Belgium Scholastic Articles Case Law
C. Stakeholder Consultations
Economic/Financial, Telecoms, Academia, IT Security,
LEGISLATION – OFFENCES Illegal access to a computer system (“hacking”etc.) Illegal interception (violating privacy of data
communication) Illegal Data interference (malicious codes, viruses, trojan
horses etc.) System interference (hindering the lawful use of computer
systems) Misuse of devices and illegal devices (tools to commit cyber-
offences) Offences affecting critical infrasturcture Computer-related forgery (similar to forgery of tangible
documents) Computer-related fraud (similar to real life fraud) Identity related offences SPAM Harassment using an electronic means Infringement of copyright and related rights
The importance of: Environmental Scanning Internal Resource Analysis External Resource
Identification
The value of: • Problem Identification• Finding Solutions• Prioritization
The requirement for:• Stakeholder consultation• Political commitment
Establishment of the CSIRT
Parliamentary approval and enactment of Cybercrime Bill
Parliamentary approval and enactment of Cyber Security Agency Bill
Establishment of TTCSA
Continuous training and capacity building
Launch of public awareness campaign
THE WAY FORWARD
THANK YOUnationalsecurity.gov.tt