why the private sector is key to cyber defence

Why the Private Sector is Key to Cyber Defence Gareth Niblett, Chairman, BCS ISSG

18th May 2010

Presentation to Cyber Defence 2010 2

About your Speaker

Overview Chairman of the BCS ISSG, a security specialist group with over 3,500 members from BCS, the Chartered Institute for IT, where he is involved in a number of initiatives focused on improving security and safety. Currently working as a managing consultant providing business advisory services and solutions focussed on security, privacy and compliance, especially in relation to communications and online services. Previously Chief Information Security Officer (CISO) of a national communications and IT services company where he had group wide responsibility for all aspects of information security, participating in government and industry forums focussed on infrastructure protection, emergency services, resilience and response, internet safety, next generation network assurance and secure network interoperability.

Recent Collaborative Efforts: BCS Security Community of Expertise British Business Federation Authority

(BBFA) Centre for the Protection of National

Infrastructure (CPNI) sponsored UK Network Security Information Exchange (NSIE)

Electronic Communications Resilience & Response Group (EC-RRG)

EURIM e-Crime Working Group Internet Watch Foundation (IWF)

Funding Council Network Interconnection Consultative

Committee (NICC) Security Group 999/112 Liaison Committee

What is critical and why Critical National Infrastructure (CNI)

01


What is Critical National Infrastructure?

Critical National Infrastructure (CNI) is the collective term for those services that are essential to the economic, social and political wellbeing of a country.

CNI can be categorised into 10 sectors: communications, emergency services, energy, finance, food, government and public services, health, public safety, transport and water.

 Not everything is critical  Each sector is different

 Many sectors privately held

Overview of CNI Sectors

Communications

Emergency Services

Energy

Finance

Food

Gov. & Public Services

Health

Public Safety

Transport

Water

Critical N

ational Infrastructure


Why are these Sector Critical?

Without Communications, your telephones (fixed and mobile) and Internet access stops working properly; you become unable to call, fax, text, e-mail, browse or otherwise transfer information. Without Energy, your home goes dark, you can’t get online, although your telephone may work (while the telcos’ batteries / generator hold out), you can’t get fuel for your vehicle or home, business start shutting down. Without Finance, your bank account and card stops working, so you can’t withdraw cash, buy groceries, pay for fuel / travel, or pay bills. Finance relies on Communications for transfers, online & phone banking. And so on… Critical National Infrastructure is a complex web of vital interdependent services, which are all dependent on technology, creating new risks.

Or, why governments can’t just do it themselves Why the Private Sector is Critical

02


Why rely on the Private Sector?

Governments no longer own and control significant portions of their country’s critical national infrastructure. This varies by country but is a growing trend, due to consolidation and globalisation. Also, critical infrastructure now crosses borders and may be under foreign control. Companies once government owned may have been privatised and are now outside of direct government control; or companies that may never have been under government control in the past, being independent commercial venture, have become critical to a nation’s infrastructure. As with every rule there are exceptions and complications. Even with partial government control of a business, such as when there has been a financial bailout or the sector is strictly regulated, governments may still struggle to deal with CNI issues without clear rules and co-operation.


Private Sector is Key to Cyber Defence

If online government & banking services start collapsing under a deluge of sustained access attempts coming from thousands of worldwide sources, it would take international co-ordinated effort, between finance, government and communications to identify and mitigate the threat. If a leading global search engine and dozens of other leading businesses are extensively compromised, possibly by a foreign intelligence service, exposing sensitive company and customer information, including trade secrets and source code, surely governments might be interested. If a national power grid uses legacy SCADA systems, now connected internally via IP, that may be susceptible to exploitation via the Internet by foreign nationals then this exposure is of interest not only to government but to all the other sectors of critical national infrastructure. And so on…

Government, industry and cross-sector collaboration Information Sharing

03


Why is Information Sharing Important?

Sharing information about the risks facing critical national infrastructure is beneficial to both government and industry. If each parties can privately learn from the experiences, mistakes, and successes of each other, then they can all improve their level of assurance. No government, sector or company can operate in isolation in the modern, interconnected and dependent world. Without information sharing, it may not be possible to find out about risks whose impacts may affect you; therefore you are unable to adequately protect or prepare. Companies will be reticent in sharing commercially sensitive information without a similar reciprocal arrangement. If government does not engage in a positive two-way dialogue with the private sectors that form part of CNI then they are likely to be unaware of all the risks facing the country.


How does Information Sharing occur?

Public Education – publication of information security standards, user awareness, education campaigns, threat assessments (warning levels) Private Advice – restricted information on physical, personnel and electronic threats and vulnerabilities along with mitigation approaches Information Exchanges – trusted government & sector representatives sharing sensitive info on threats, vulnerabilities, incidents and intelligence Standards Development – collaborative working to define standards for information assurance, e.g. in Next Generation Networks (NGNs) Policy Development – arrangements to help ensure security, such as staff vetting and procurement rules for critical components and services Planning Exercises – joint government / industry crisis workshop looking at complex scenarios, e.g. loss of power and / or communications

How assistance is given to cyber defence & investigations Private Sector Support

04


What Support does Private Sector give?

Example: in many countries the communications sector has been privatised and opened up to competition, but it regulated and is generally co-operative to lawful requests and supporting CNI. It is often best placed to support efforts in cyber defence through a variety of routes, such as:

Lawful Interception – targeting content of voice & data communications Data Retention & Disclosure – communications related data records Filtering Illegal Content – blocking or removing child sexual abuse images, terrorism material, defamatory or inciting statements etc. Filtering Unwanted Content – spam, phishing, malware, DDoS etc. Online Investigations – hacking, botnets, copyright infringement etc. Infrastructure Protection – building and operating to secure standards Resilience & Response – robust networks but responsive to incidents

What events have taught us about improving collaboration Lessons Learned

05


How can we Improve Things?

Countries need to recognise that government does not own all of CNI and that they cannot provide adequate cyber defence in isolation. More effort required to establish effective Public-Private Partnerships, both nationally and internationally – with a focus on consistency. Information sharing must be two-way and include information that is not, and should not be, in the public domain to be of significant benefit. Joint exercises simulating response to realistic scenarios with a large scale impact on CNI – business continuity plan testing at a national scale. Planning will not highlight all the things that will occur in a real event, be it a physical terrorist attack, or an online cyber attack – a flexible and agile defence is needed. This can only be achieved through collaboration between governments and the private sector that forms much of CNI.


And Finally…

Questions welcome, either now or later.

More of me: Blog: http://www.infosecmaven.org/ Twitter: http://twitter.com/INFOSEC_Maven LinkedIn: http://uk.linkedin.com/in/garethniblett

If you want direct contact details, please ask…

why the private sector is key to cyber defence

Technology