IADC Industry Day 2015
“Enhancing Capabilities II: Roles of Industry in Security and Defense Technologies”
The world has never been smaller, with more of us connected at ever greater speeds. It is expected that 80% of humanity will have a super computer in their pocket by 2020. New technology and the Internet of everything, by everybody and by every sector, has changed the way we interface with each other, revolutionized business processes, and altered the way in which countries and economies are operated. There is no doubt that this hyper connectivity is a powerful development tool and opportunity of growth, for governments, business and individuals alike: a tool that must remain open and accessible.
That being said, with new technology comes new risks. Specifically, the rapid growth and development of technology is far out pacing the ability to control, regulate and keep up with it from a security and defence standpoint. The Internet, as on example, has lowered the barriers to entry, both in terms of access and availability, for criminal entrepreneurs to participate in illicit activities while making it more difficult for law enforcement to link the crime to the perpetrator and jurisdiction. As with any business, with such low barriers to entry cyber criminals are flooding the market. Cyber-crime, while the dominating feature of the risks and threats that come with new and advanced technology, is not necessarily a new behavior; the end result is the same as an offline crime but the means are different. The Internet and new technologies are providing new opportunities, accelerating the volume and velocity of which crimes can be committed.
New forms of attack and weaknesses, such as zero-day vulnerabilities, security holes in software such as browser or operating system software that are unknown to software makers or antivirus vendors, are becoming increasingly common due in large part to the emergence of a vast market for buying and selling them, driven primarily by the demand from militaries, intelligence and law enforcement agencies and national governments. This particular example highlights the negative relationship that can arise between private sector industry and the public sector. The presence of such dangers and ‘grey’ areas cement the growing need for increased public-private partnership and cooperation, so as to benefit both sides and ensure security for both as well as society and individuals.
In addition to this, with the advent of the Internet of things more personal data will be stored on a multitude of devices, increasing the volume of opportunities that cyber criminals will have for data theft. In tandem with public-private partnership this represents the need for individual citizen action and awareness as fraudulent and illegal electronic financial transfers and transactions will only continue to grow as more online value transactions create greater incentives for cyber criminals.
Cyber security and the growth of technology is also a top concern for critical infrastructure, such as utilities and transportation systems, which are increasingly vulnerable to attack. Most countries critical infrastructure falls into both the public and private sector. This again emphasizes the need for partnerships and the sharing of innovation and best practices as governments and industry must work together to actively protect vital industry and utilities while preventing cyber attacks.
In continuing a discussion related to both cyber crime and cyber security it is important to note the difficulties that arise when attempting to distinguish between these two terms. Problems relating to definitions are emerging as the lines separating the too continue to blur. Cyber crime and cyber security are pushing boundaries and therefore require new understandings related to security as they are increasingly being used by or for non-state and non-traditional actors. That being said we cannot let definitions slow us down.
Cyber crime has become an extensive and damaging threat and so we must all work together; governments, international organizations, the private sector and civil society, reinforcing collaboration and recognizing that cyber security is a shared responsibility. Cybercrime affects society as a whole, not only threatening individuals’ privacy, but also potentially compromising a country’s critical infrastructure and ability to provide essential services to its citizens. The globalized nature of economies also means that it is a threat at an international level. This highlights the need for action on four levels: International, national, private sector and individual. The OAS is therefore actively pursuing responses on all of these levels through its own initiatives and work in regards to cyber security.
The OAS Cyber Security Program
Strengthening cyber security and protection throughout the Americas is the overarching objective of our Cyber Security Program. Specifically, it aims to:
A) Assist OAS Member States to establish robust national and governmental cyber incident response capabilities, including 24/7 “alert, watch, warning and response” groups—CSIRTs;
B) Facilitate communication, information-sharing and collaboration between national CSIRTs and other cyber security-related authorities, including through an OAS-hosted Secure Hemispheric Network of CSIRTs and other collaborative platforms and information-sharing mechanisms; and
C) Promote the development of national cyber security strategies and frameworks in all OAS Member States, in order to ensure that cyber security is addressed in a comprehensive and coordinated way.
We think cybersecurity issues should be addressed by our member states through a “smart security” approach involving the establishment of best practices; participation across various sectors and stakeholders; methods that are tailor-made to countries’ specific needs; an objective-oriented plan; evidence-based problem analysis; and results evaluation. A large part of our success is also due to our close partnerships with our member states, including experts and institutions, and the implementation of the following seven-point plan:
- Engaging civil society and the private sector
- Raising awareness
- Developing national strategies
- Providing training.
- Rehearsing crisis management.
- Carrying out technical assistance missions.
- Sharing information
Our activities have built momentum since the program started in 2004 with the adoption of the Comprehensive Inter-American Cyber Security Strategy. The Cyber Security Program has promoted the creation of Computer Security Incident Response Teams (CSIRTs), whose numbers have risen from six (6) to nineteen (19) in the last decade. Countries such as Colombia (2011), Panama (2012), Trinidad and Tobago (2013) and Jamaica (2015) have established national cyber security policies and strategies as well. In 2014, the OAS initiated the national strategy development process in Dominica and Bahamas, as well as the development of a national cyber security action plan for Suriname.
The Cyber Security program also conducts cyber security crisis management exercises, which have been used for training activities in eight (8) countries through a mobile cyber laboratory built and configured by the OAS. Furthermore, we continually strives to build partnership with various processes and entities such as LACNIC, Anti-Phishing Working Group, and FIRST to name a few, recognizing the need to establish a multi-sectoral approach to building capacity in our member states.
The OAS has partnered with several private and public bodies such as Microsoft, OWASP, Interpol, the Government of Estonia and the Global Cyber Security Capacity Centre at the University of Oxford. It has also signed MOUs with private entities such as Microsoft. The added value that we have seen in these partnerships has been mutually beneficial. For example we have partnered for capacity building training in our members states, to produce reports such as ‘Latin America Cyber Security Trends’ (2014) with Symantec and most recently “Cyber Security and Critical Infrastructure in the Americas” (2015) with Trend Micro. We have also received technical assistance from Microsoft in the preliminary work we are doing with the Global Cyber Security Capacity Centre in partnership with the Inter-American Development Bank on a study this year on the state of cyber security in Latin America and the Caribbean.
One of the original focuses of the OAS Cyber Security Program was to develop a hemispheric network of CSIRTs. The purpose of this network was to facilitate real-time communication and information sharing between CSIRTs in the Americas, as well as to ensure that each country had a designated official point of contact for cyber incident response issues. This kind of tool serves as a strong cooperation model which we can extend to international and regional law enforcement bodies such as Europol, Interpol and Ameripol to work collaboratively and trans-regionally with our member states and the OAS on cybercrime issues.
As was previously made clear, industry partnership is a key aspect of the OAS cyber security initiative. More than 80% of the infrastructure that drives the Internet and administers essential services is owned and operated by the private sector. Public-Private Partnerships are therefore essential to fighting cybercrime and responding to attacks. They are also equally important to uphold fundamental values of freedom and privacy when fighting against cybercrime. The private sector is what forwards the entire technology industry and so what better way to stay ahead of it from a security point than to partner with the very companies that are leading the way in innovation and new technology. However, the partnership works both ways and just as industry can help governments and organizations remain up to date and on par with new technology and the new crimes that accompany it, governments and organizations can in turn help to ensure the safety and protection of businesses. For example, the OAS/Symantec Report on the Cyber Security State in Latin America outlines 14 best practices for business to mitigate cyber threats. From educating users on basic security protocols to ensuring all devices on the network are secure and regularly patched and updated. We also continue to advocate for other relatively simple and practical solutions that can be implemented by companies and businesses, such as;
- White-listing software and hardware applications
- Limiting those with system wide administrator rights.
- Robust dual authentication passwords.
- Proactive disclosure when a cyber incident occurs.
- Robust collaboration amongst all sectors and regions.
Organizations, governments, the private sector, and their partnerships are also beneficial for consumers and individuals. With the development of the Internet of things, individuals are connected in many different ways. They are therefor more vulnerable and so need to be more responsible. This new trend highlights the importance of designing policies to raise awareness among Internet end users about basic cyber security so they can be more informed and responsible as users.
One of the most important issues in the discussion surrounding security, technology and public-private partnership is critical infrastructure protection. Critical infrastructure relates to systems that are essential for a country’s continued and effective functioning, providing the structure for a country’s economy, security and energy; from electricity, to water, transportation, and communication. Due to their ability to affect the stability and security of governments, economies and citizens, and their interdependent nature, critical infrastructure cyber security cannot simply be addressed by a single government or single approach but require effective international cooperation and collaboration. The OAS therefore plays an important role as a facilitator in strengthening cyber security specifically targeting critical infrastructure throughout the region and providing the space for partnerships, cooperation and the sharing of information and practices.
In 2012 the OAS cemented its dedication towards the issue with the Declaration Strengthening Cyber Security in the Americas. This declaration reaffirmed CICTE’s strategy towards improved cyber security in the region, particularly drawing attention to the relationship between cyber security, terrorism and the threats surrounding critical infrastructure. Most recently, CICTE concluded its 2015 annual meeting with a call to combat terrorist threats specifically aimed at critical infrastructure. The meeting produced a declaration on “Protection of Critical Infrastructure from Emerging Threats,” reaffirming the OAS’s commitment to combating terrorist threats targeting critical infrastructure and cyber security weaknesses.
As previously noted, the ever increasing reaches, complexity, prevalence and anonymity of cyber crime is both real and challenging. The OAS is therefore forwarding an integrated, multidimensional and multisectoral cyber security approach within the hemisphere. Given the far-reaching scale and scope of cyber crime and its interconnected nature the response must not be limited to one country or one sector but instead must incorporate governments, the private sector, and even individuals. This meeting is therefore key in fostering cooperation and building links between industry and the public sector. Recognizing the importance of collaboration, through private-public partnership and the establishment of a network of actors all dedicated to combating the threat that is cybercrime are important steps. The OAS is therefore pleased to be represented here today to continue its efforts in encouraging cooperation and sharing throughout the hemisphere, specifically targeting the security threat associated with technology and cyber crime.
Latin America and the Caribbean currently have one of the fastest-growing Internet populations in the world, giving rise to a number of significant cyber security challenges, including those surrounding critical infrastructure. We, meaning all those present today, need to work together to reinforce and expand our regional cyber security throughout the Americas. Through partnerships, cooperation and collaboration we need to actively engage all relevant actors form civil society to the private sector and individuals, raising awareness, developing national strategies, providing training, rehearsing crisis management, and sharing information. Only by pursing such initiatives and following an established comprehensive cyber strategy can we effectively disrupt and prevent the growing number and means of crimes associated with new and emerging technologies.