why government & corporate cyber programmes are failing
DESCRIPTION
Why Government & Corporate Cyber Programmes are Failing by Dr. Frederick Wamala at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.htmlTRANSCRIPT
![Page 1: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/1.jpg)
InternationalTelecommunicationUnion
Why Government & Corporate Cyber Programmes are failing
Trivandrum, Kerala, India, 3-4 August 2012
Dr. Frederick Wamala, CISSP®
![Page 2: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/2.jpg)
© Dr. Frederick Wamala, CISSP®
Disclaimer – One for the Lawyers
2
Opinions expressed here are mine. The view I express do not necessarily reflect those of any past or present employers and/or associates.
All trademarks are the properties of theirrespective owners.
![Page 3: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/3.jpg)
© Dr. Frederick Wamala, CISSP®
Quotation – Cybercrime “In fact, in my opinion,
it's the greatest transfer of wealth in history ... McAfee estimates that $1 trillion was spent globally under remediation. And that's our future disappearing in front of us.”
3
– Gen. Keith Alexander, NSA/CYBERCOM
![Page 4: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/4.jpg)
© Dr. Frederick Wamala, CISSP®
ITU Cybersecurity Strategy Guides
4
![Page 5: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/5.jpg)
© Dr. Frederick Wamala, CISSP®
Cybersecurity Strategy Model
5
![Page 6: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/6.jpg)
© Dr. Frederick Wamala, CISSP®
Cybersecurity Strategy Model
6
URL: http://www.itu.int/ITU-D/cyb/cybersecurity/strategies.html
![Page 7: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/7.jpg)
© Dr. Frederick Wamala, CISSP®
Strategic Context
7
![Page 8: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/8.jpg)
© Dr. Frederick Wamala, CISSP®
Critical Information Infrastructure (CII)
8
![Page 9: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/9.jpg)
© Dr. Frederick Wamala, CISSP®
Privately-owned – Govt oversight?
9
![Page 10: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/10.jpg)
© Dr. Frederick Wamala, CISSP® 10
![Page 11: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/11.jpg)
© Dr. Frederick Wamala, CISSP®
Focus on attack methods not Sources
11
![Page 12: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/12.jpg)
© Dr. Frederick Wamala, CISSP®
Threat Assessment
12
![Page 13: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/13.jpg)
© Dr. Frederick Wamala, CISSP®
Incomplete Threat Assessments
Threat Sources and Threat Actors Capability
Level 1 – Opportunistic Level 5 – Extremely capable and well resourced
to carry out sophisticated attacks e.g. Flame
Motivation Level 0 – No interest in attacking a given
system Level 5 – An absolute priority of the actor to
breach the security of a given system. Use all means e.g. Detailed research, bribery, coercion,
13
![Page 14: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/14.jpg)
© Dr. Frederick Wamala, CISSP®
Failure to understand “Cybersecurity Ends”
14
![Page 15: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/15.jpg)
© Dr. Frederick Wamala, CISSP®
Cybersecurity “Intensity of Interest”
15
Cybersecurity is not JUST a technical issue Cyber attacks threat ‘vital’ interests of States
![Page 16: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/16.jpg)
© Dr. Frederick Wamala, CISSP®
India – Impact on Diplomatic Affairs
“A portion of the recovered data included visa applications submitted to Indian diplomatic missions in Afghanistan. This data was voluntarily provided to the Indian missions by nationals of 13 countries as part of the regular visa application process.”
16
![Page 17: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/17.jpg)
© Dr. Frederick Wamala, CISSP®
Gaps – Legal Measures
17
![Page 18: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/18.jpg)
© Dr. Frederick Wamala, CISSP®
Cybercrime legislation coverage
Criminalisation Substantive criminal law e.g. Unauthorised
access to computer systems and networks Jurisdiction Procedure and law enforcement
investigative measures Electronic evidence Liability of internet service providers International cooperation
18
![Page 19: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/19.jpg)
© Dr. Frederick Wamala, CISSP®
Convention on Cybercrime – 2001
19
Criminalization
Procedures
Jurisdiction
International Cooperation
Council of Europe Convention on Cybercrime
CriminalizationProceduresElectronic evidence
JurisdictionService Provider LiabilityInternational Cooperation
![Page 20: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/20.jpg)
© Dr. Frederick Wamala, CISSP®
Commonwealth Legislation – 2002
20
Criminalization
Procedures
Electronic evidence
Jurisdiction
International Cooperation
Commonwealth Model Legislation
CriminalizationProceduresElectronic evidence
JurisdictionService Provider LiabilityInternational Cooperation
![Page 21: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/21.jpg)
© Dr. Frederick Wamala, CISSP®
US – Joint Chief Lobby for Legislation
21
![Page 22: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/22.jpg)
© Dr. Frederick Wamala, CISSP® 22
![Page 23: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/23.jpg)
© Dr. Frederick Wamala, CISSP®
Technical and Procedural Measures
23
![Page 24: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/24.jpg)
© Dr. Frederick Wamala, CISSP®
Reactive – Subversion of Products
24
![Page 25: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/25.jpg)
© Dr. Frederick Wamala, CISSP®
UK – Capacity to certify products
25
![Page 26: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/26.jpg)
© Dr. Frederick Wamala, CISSP®
India – Comprehensive Approach
26
![Page 27: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/27.jpg)
© Dr. Frederick Wamala, CISSP®
Gaps – Organisational Structures
27
![Page 28: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/28.jpg)
© Dr. Frederick Wamala, CISSP®
India – National Cybersecurity Strategy
28
MCIT/Departmental cybersecurity strategy Only CERT-In has a national cyber mandate Oversight: MCIT; Defence, Home Affairs, NSA
![Page 29: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/29.jpg)
© Dr. Frederick Wamala, CISSP®
DHS vs. White House Czar mandates
29
![Page 30: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/30.jpg)
© Dr. Frederick Wamala, CISSP®
US – NSA involvement questioned
30
![Page 31: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/31.jpg)
© Dr. Frederick Wamala, CISSP®
Gaps – Capacity Building
31
![Page 32: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/32.jpg)
© Dr. Frederick Wamala, CISSP®
Gaps – Cybersecurity Skills
“India is regarded as an IT superpower but its record on IT security is not too brilliant. ... It does not have the required number of experts and professionals in cyber security.”
32
– Dr. Arvind Gupta, IDSA, India, 27/06/2012
![Page 33: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/33.jpg)
© Dr. Frederick Wamala, CISSP® 33
![Page 34: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/34.jpg)
© Dr. Frederick Wamala, CISSP®
UK – Intelligence not retaining staff
34
![Page 35: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/35.jpg)
© Dr. Frederick Wamala, CISSP®
Gaps – International Cooperation
35
![Page 36: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/36.jpg)
© Dr. Frederick Wamala, CISSP®
Russia rejects Convention
36
![Page 37: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/37.jpg)
© Dr. Frederick Wamala, CISSP®
Convention – Article 32
37
![Page 38: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/38.jpg)
© Dr. Frederick Wamala, CISSP®
EU and US wreck UN Treaty
38
![Page 39: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/39.jpg)
© Dr. Frederick Wamala, CISSP®
Conclusion
39
![Page 40: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/40.jpg)
© Dr. Frederick Wamala, CISSP® 40
![Page 41: Why Government & Corporate Cyber Programmes are Failing](https://reader030.vdocuments.us/reader030/viewer/2022012916/5498f6c9b47959467f8b4569/html5/thumbnails/41.jpg)
© Dr. Frederick Wamala, CISSP® 41
Questions? Dr. Frederick Wamala, CISSP® Cybersecurity Adviser
– Strategic and Technical
E-mail: [email protected] Twitter: @DrWamala