national cybersecurity policy framework … · presentation overview 1. background 2. purpose of...
TRANSCRIPT
NATIONAL CYBERSECURITY POLICY FRAMEWORK (NCPF)
Dr Kiru Pillay
26 July 2016
Page 2
PRESENTATION OVERVIEW
1. BACKGROUND
2. PURPOSE OF THE NCPF
3. NCPF OBJECTIVES
4. BENEFITS OF THE NCPF
5. SA CYBERSECURITY CONCEPTUAL MODEL
6. PROGRESS TO DATE
Page 3
BACKGROUND
To set out an aligned and coherent approach to Cybersecurity, in March2012, the South African government approved the National CybersecurityPolicy Framework (NCPF).
The NCPF addresses:
Uncoordinated and silo approach to Cybersecurity;
Inadequate regulatory framework to support Cybersecurity;
Lack of general public awareness about Cybersecurity; and
Inadequate capacity, skills and resources.
It outlines broad policy guidelines on Cybersecurity in the Republic and requiresGovernment to develop detailed Cybersecurity policies and strategies.
Page 4
PURPOSE OF THE NCPF
To create a secure, dependable, reliable and trustworthy cyber space that facilitatesthe protection of National Critical Information Infrastructures (NCIIs).
To provide for:
Measures to address national security in terms of cyber space;
Measures to combat cyber warfare, cybercrime, cyber terrorism, cyber espionage and other cyber ills;
The development and review of existing laws to ensure alignment; and
Measures to build confidence and trust in the secure use of ICTs;
The NCPF is aligned to Outcome 3: “All People in South Africa Are and Feel Safe”,Output 7, which requires the development and implementation of a CybersecurityPolicy and the development of capacity to combat and investigate cybercrime.
Page 5
NCPF
a) To articulate
overall aim and
objectives of the South
African Government
b) To centralize
coordination of
Cybersecurity activities;
c) To foster cooperation and
coordination between
Government, the Private Sector
and Civil society
d) To promoteinternational cooperation
e) To develop requisite skills and
R&D capacity
f) Promote a culture of
Cybersecurity
g) Promote compliance
with appropriate
technical and operational
Cybersecurity standards
NCPF OBJECTIVES
Page 6
BENEFITS OF THE NCPF
The NCPF, when implemented will achieve the following:
A safer and more secure cyber space that underpins national security priorities;
The establishment of institutional structures to support a coordinated approach to addressing Cybersecurity;
The identification and protection of National Critical Information Infrastructure (NCII);
A secure e-environment that stimulates economic growth and competitiveness of South Africa;
Promotion of a national research and development agenda relating to Cybersecurity;
Effective prevention, combating and prosecution of cybercrime; and
Enhanced management of Cybersecurity.
Page 7
SA CYBERSECURITY CONCEPTUAL MODEL
CABINET
JCPS CLUSTER DGs FORUM
JCPS CYBERSECURITY RESPONSE
COMMITTEE (CRC)
(Chair: DG SSA)
CYBERSECURITY POLICY
DTPS
Deals with OoS issues
CYBERSECURITY CENTER
SSA
Deals with issues pertaining to NCII
SSA
GOVERNMENT CSIRTSECTOR CSIRTs
CYBERSECURITY HUB
Deals with Civil Society issues
Deals with Sector issues
NATIONAL CYBERSECURITY POLICY FRAMEWORK (NCPF)
Deals with cybercrime
SAPS
NATIONAL CYBERCRIME CENTER
Deals with Military issues
SANDF
CYBER COMMAND
R&D AgendaNCII Policy E-Identity Management StrategyCybercrime Policy Cyber Defence Strategy
Legend:Information flow
CYBERSECURITY LEGISLATION
Awareness Strategy
Page 8
ROLES AND RESPONSIBILITIES
Roles and Responsibilities of Government
• Government has an overall responsibility and accountability for coordination, development and implementation of Cybersecurity measures and to align ICT policies and practices with the Policy.
The Role and Responsibility of the Private Sector and Civil Society
• The Policy promotes cooperation between private sector and Government to address Cybersecurity threats.
• In line with this, the private sector is responsible for implementing minimum Cybersecurity measures as prescribed by Government from time to time.
• Similarly, each person has a responsibility to ensure that his or her electronic device is protected.
• Each person also has a responsibility to report Cybersecurity incidents to the police or the most accessible CSIRT.
Page 9
The NCPF promotes establishment of collaboration with local stakeholders focusing on:
Inclusion of the industry and creating an enabling environment for successful partnership;
Encouraging Private Sector to address common security interests;
Bringing private sector and Government together in trusted forums; and
Creating a common understanding of the threat and vulnerabilities that the country faces andresponses required.
In terms of the policy framework, the Cybersecurity Hub will foster cooperation andcoordination between the public sector, private sector and civil society.
COORDINATION AND COOPERATION
Page 10
NCPF promotes Public-Private-Civil Sector collaboration premised on the fact thatCybersecurity is everyone’s business.
The borderless nature of the cyber space and the challenges it poses in terms ofjurisdiction requires countries to cooperate in order to combat cybercrime.
There is a need for Regional, Continental and International cooperation on matterspertaining to Cybersecurity and cybercrime combating.
COORDINATION AND COOPERATION
PROGRESS TO DATE
Page 12
PROGRESS TO DATE
In line with the Cabinet approved National Cybersecurity Policy Framework (NCPF), theCybersecurity Response Committee (CRC) has finalized the development of the followingdraft policies, strategies and Bill:
• National Cybersecurity Policy (led by SSA);
• National Critical Information Infrastructure Policy (led by SSA);
• National Cybercrime Policy (led by SAPS);
• National Cybersecurity Awareness Strategy (led by DTPS);
• National Cyber Defence Strategy (led by SANDF);
• National Cybersecurity R&D Agenda
• E-Identity Strategy; and
• Cybersecurity and Cybercrimes Bill (led by DoJ&CD);
NATIONAL CYBERSECURITY POLICY
Page 14
NATIONAL CYBERSECURITY POLICY
The Cybersecurity Policy is an overarching policy which outlines Government’s position onCybersecurity matters and measures to be taken to secure the State’s critical informationinfrastructures, businesses and citizens alike.
In order to address cyber threats the Policy aims to:
• Centralise the coordination of Cybersecurity activities;
• Establish institutional Capacity;
• Foster cooperation and coordination between Government, the private sector and the general public, to address cyber threats;
• Promote international cooperation;
• Develop requisite skills, research and development capacity;
• Promote measures to secure National Critical Information Infrastructures (NCIIs) in the public and private spheres against cyber threats;
• Promote a culture of Cybersecurity; and
• Promote the development and implementation of legislation to effectively deal with cybercrime and improve Cybersecurity.
Page 15
POLICY OBJECTIVES
The policy is aimed at consolidating the policy statements and activities contained in theNCPF that are intended to:
• Build confidence and trust in the secure use of the ICT;
• Address national security threats in cyberspace;
• Build institutional and human capacity;
• Build R&D capacity; and
• Create a framework for public-private partnerships and international cooperation.
The measures outlined in the policy will enable South Africa to:
• Address threats to NCIIs and national security;
• Ensure LEAs are appropriately empowered to deal with cybercrime;
• Promote international cooperation;
• Promote public-private partnerships;
• Promote secure online services; and
• Raise general Cybersecurity awareness.
Page 16
GUIDING PRINCIPLES
The Policy is guided by the following key principles:
• All people in South Africa are and feel safe;
• An information society which promotes privacy, security, dignity, access to information and freedom of expression;
• A JCPS-led, coherent and integrated Cybersecurity approach for the Republic;
• Centralised coordination of Cybersecurity activities;
• Fostering of public-private partnerships in relation to Cybersecurity;
• Awareness of cyber threats and promotion of Cybersecurity;
• Regional and international cooperation on Cybersecurity matters ;and
• The revision and alignment of existing legislation.
NATIONAL CRITICAL INFORMATION INFRASTRUCTURE POLICY
Page 18
NATIONAL CRITICAL INFORMATION INFRASTRUCTURES (NCIIs)
The National Critical Information and Infrastructures Policy centralizescoordination of NCIIs identification and protection process.
The NCII Policy seeks to:
• Propose various approaches in the identification and protection process;
• Define the role of the State entities, private sector and citizenry in the NCIIPprocess;
• Create a framework for technical, regulatory and institutional capacitybuilding in the NCIIP process; and
• Propose a review and alignment of current measures with the NCPF.
Page 19
NCII POLICY OBJECTIVES
NCII Objectives are to:
• Centralize coordination of NCIIs identification and protection process;
• Enable the adoption of appropriate mechanisms to identify, protect andsecure SA’s NCII;
• Promote cooperation and define roles of the Public and Private sector in thisregard;
• Develop minimum security standards for NCIIs; and
• Provide for capacity building and awareness programs for NCII protection.
Page 20
PROPOSED NCII IDENTIFICATION CRITERIA
The NCII identification criteria is based on:
• CII/network/system is vital to national law and order, public health, socialservices, economic growth or environmental matters etc.;
• Unavailability/compromise of a CII will have a negative impact on criticalservices such as energy services, financial services, manufacturing services,transportation services, healthcare or social services or emergencyservices;
• Assessment of impact either as maximum, moderate or minimum severityin order to determine security required; and
• Determination of the time period in which an owner of a NCII is required tocomply with the security requirements for a CII.
Page 21
NCII IDENTIFICATION APPROACH
A Risk based NCII Identification approach will focus on:
• Sectors that provide the essential services such as ICT, Financial, Energy,
Transport, Emergency, Manufacturing, Agriculture, Social Services, etc.
• Organs of State (OoS);
• National Key Points (NKPs);
• A Risk Assessment Methodology to be applied to all the sectors; and
• Minister to declare CIIs identified as well as protection mechanism.
NATIONAL CYBERCRIME POLICY
Page 23
NATIONAL CYBERCRIME POLICY
The National Cybercrime Policy is based on various approaches, inclusive of:
• Effective law enforcement and criminal justice responses;
• Strong law enforcement response;
• Activities pertaining to the combating of cybercrime in relation to prevention and detection of cybercrime;
• Intelligence-led investigation through the establishment of specialized investigative capacities;
• Prosecution of cybercrime;
• Cross-cutting activities within Government and the various Clusters;
• A coordinated approach bringing together law enforcement, business and civil society in partnerships; and
• Interaction with international stakeholders and engagement with other countries and institutions.
• Establishment of the National Cybercrime Centre (NCC);
NATIONAL CYBERSECURITY AWARENESS STRATEGY
Page 25
NATIONAL CYBERSECURITY AWARENESS STRATEGY
The National Cybersecurity Awareness Strategy creates awareness amongst South African citizens regarding cyberspace;
The Objectives of the strategy are:
• To create awareness amongst South African citizens regarding cyberspace;
• To identify and inform citizens regarding cyber incidents in South Africa;
• To establish partnerships with the Private sector and Civil Society to share ideas on prevention
and mitigation of cyber incidents;
• To develop awareness mechanisms and interventions tailored to needs of specific sections of
the South African population; and
• To create institutional mechanisms.
NATIONAL CYBER DEFENCE STRATEGY
Page 27
NATIONAL CYBER DEFENCE STRATEGY
The Cyber defence strategy builds cyber defence capacity for the country.
The strategy’s main objective is to acquire the necessary cyber defence capacity through:
• The establishment of a cyber defence capability which will, among others, consist of:
− Cyber Command;
− Cyber Defence Operations Centres; and
− Cyber Defence Workforce;
• Conducting research and development; and
• Ensuring information security.
LEGISLATIVE REVIEW PROCESS
CYBERSECURITY AND CYBERCIMES BILL
Page 29
In line with the NCPF stipulation, the Department of Justice and ConstitutionalDevelopment, reviewed the current legal framework.
The outcome of the reviewing process is the proposed draft Cybersecurity andCybercrimes Bill.
The Bill aims to comprehensively address cybercrime and Cybersecurity in theRepublic.
LEGISLATIVE REVIEW PROCESS
-Secret-
Page 30
Chapter 1: Definitions
Chapter 2: Offences
Chapter 3: Jurisdiction
Chapter 4: Powers to Investigate
Chapter 5: 24/7 Point of Contact
Chapter 6: Structures to deal with Cybersecurity
Chapter 7: NCII Protection
Chapter 8: Evidence
Chapter 9: Obligations on ECSP’s
Chapter 10: Agreements with foreign States or territories
Chapter 11: General Provisions
OVERVIEW OF BILL
Page 31
THANK YOU