UN-Singapore Cyber Programme Training course on behalf of the: UN Office for Disarmament Affairs c/o gohg@un.org By: Abdul-Hakeem Ajijola info@consultancyss.com Singapore 15-16 July 2019 #UN #Singapore #Cyber Program #Norms Awareness Workshop for #ASEAN member States #UNODA #UNGGE 2015 #cybersecurity #AskAjijola #GCSC #GFCE @benjaminang @fitbintim @elinanoor #cyberdiplomacy
1. UN Office for Disarmament Affairs gohg@un.org
on behalf of the:
UN Office for
Disarmament Affairs
c/o gohg@un.org
By: Abdul-Hakeem Ajijola
info@consultancyss.com
Singapore
15-16 July 2019
2. UN Office for Disarmament Affairs gohg@un.org
Day 1
Agenda
• Definitions: Governance, Internet Governance &
Norms
• UN-GGE 2015 Report Focus
• Norms that have a limiting character
• What is a CERT/ CSIRT?
• Why: You need Technology to Stay ahead
• CERT Goals
• CERT Services
• Example: CERRT.ng Cyber Security Ecosystem
• CERT Global Framework
• National Cyber-Security (NCSec) Management
System Framework
• National Cyber Security Management System:
Framework, Maturity Model & Implementation
Guide by Taieb DEBBAGH, PhD
• Organisation of Islamic Cooperation-Computer
Emergency Response Team
• Discussion Responding to an Incident?
3. UN Office for Disarmament Affairs gohg@un.org
GOVERNANCE
•The continuous
exercise of
authority over &
the performance
of functions for a
political unit:
rule
•Authoritative
direction or
control
INTERNET
GOVERNANCE
•Development &
application of
shared
principles,
norms, rules,
decision-making
procedures, &
programs that
shape the
evolution & use
of the Internet
NORMS
•An authoritative
standard: model
•Voluntary
political
commitments
•A principle of
right action
binding upon the
members of a
group & serving
to guide, control,
or regulate
proper &
acceptable
behavior
•Soft Law
Source: http://cyberstability.org/
Source: https://www.merriam-webster.com/dictionary/government
Source: https://encyclopedia.thefreedictionary.com/Internet+Governance
Source: https://www.merriam-webster.com/dictionary/norm
DEFINITIONS: GOVERNANCE, INTERNET GOVERNANCE & NORMS
https://www.quora.com/Are-there-any-rules-in-war
Cyber stability
A state where all stakeholders are free to enjoy the benefits of
cyberspace without fear
4. UN Office for Disarmament Affairs gohg@un.org
UN-GGE 2015 REPORT FOCUS
Existing &
Emerging
Threats
Norms, Rules,
& Principles
for the
Responsible
Behaviour of
States
Confidence-
building
measures
(CBMs),
Capacity
Building &
International
Cooperation
Applicability
of
International
Law
• Affirmation that International
Law Applies in Cyberspace
‘dramatic increase in incidents’
‘create risks for all States’
‘States are developing military
capabilities for military
purposes’
• Use of cyber in future conflicts
is becoming ‘more likely’
Dangers stemming from attacks
against critical infrastructure
systems
Existing & emerging threats
5. UN Office for Disarmament Affairs gohg@un.org
States
should:
Not knowingly allow their territory to be used for
internationally wrongful acts using ICTs;
Not conduct or knowingly support ICT activity that
intentionally damages critical infrastructure;
Take steps to ensure supply chain security, & should
seek to prevent the proliferation of malicious ICT & the
use of harmful hidden functions;
Not conduct or knowingly support activity to harm the
information systems of another state’s emergency
response teams (CERT/CSIRTS) & should not use their
own teams for malicious international activity;
Respect the UN resolutions that are linked to human
rights on the internet & to the right to privacy in the
digital age.
NORMS THAT HAVE A LIMITING CHARACTER
Weaponisation
of
Interdependence
…”
e.g. Huawei, Turkey
Harvard Professor.
Emeritus Joseph Nye
Norm(k)
6. UN Office for Disarmament Affairs gohg@un.org
WHAT IS A CERT/ CSIRT? ANALOG -- HOSPITAL
7. UN Office for Disarmament Affairs gohg@un.org
WHY: YOU NEED TECHNOLOGY TO STAY AHEAD
8. UN Office for Disarmament Affairs gohg@un.org
CERT Goals
•PREVENTION
•REACTION
•FUTURE-PROOFING
9. UN Office for Disarmament Affairs gohg@un.org
.
•Incident
Handling
•Incident analysis
•Incident
response
support
•Incident
response
coordination
•Incident
response on site
•Vulnerability
Handling
•Vulnerability
analysis
•Vulnerability
response
•Vulnerability
response
coordination
.
•Announcements
•Security Audits
or Assessments
•Configuration &
Maintenance of
Security
•Development of
Security Tools
•Intrusion
Detection
Services
•Security-Related
Information
Dissemination
•Policy Guidelines
.
•Artefact
response
•Artefact
response
coordination
.
•Security Consulting
•Awareness
Building
•Education/
Training
•Product Evaluation
or Certification
CERT SERVICES
Reactive Services
Alerts & Warnings
Proactive Services
Technology Watch
Artefact Handling
Artefact analysis
Security Quality
Management Risk Analysis
Business Continuity &
Disaster Recovery
10. UN Office for Disarmament Affairs gohg@un.org
CERT GLOBAL FRAMEWORK
Global
FIRST
?
Regional
• ENISA
• AP-CERT
• OIC-CERT
• AfricaCERT
• ?
National
• SingCERT
• CSM
• OCERT
• TunCERT
• ?
Specialised
• CERRT.ng
• ?
Industry/
Sectorial
• ?
Independent
• ALIACOM -
France
• ?
Brunei
CERT
Model
11. UN Office for Disarmament Affairs gohg@un.org
CERRT.ng National Coordinating CERRT with
CERRT.ng Coordination Centre (CC)
Global/ Regional
FIRST
OIC-CERT,
AfricaCERT,APCERRT
Other?
Information
Communications
Technology
Service providers
Country Domain &
DNS
ICT Vendors
Other?
National Security
Establishment
CERRT
Intelligence
Military
SecurityLaw Enforcement
special sectors like
Nuclear
Cyber Forensics
Laboratory
Central Bank of
Nigeria (CBN)
Financial Sector
CERRT
Banks
Clearing
HousePension
Institutions
Other
financial
institutions?
Academic CERRT’s
Higher Education
Institutions
Research
Institutes
Other?
Private Sector
Electrical Power
Oil & Gas
entities
Aviation
Water
Other?
EXAMPLE: CERRT.NG CYBER SECURITY ECOSYSTEM
Critical
Information
Infrastructure
providers
12. UN Office for Disarmament Affairs gohg@un.org
NATIONAL CYBER-SECURITY (NCSEC) MANAGEMENT SYSTEM FRAMEWORK
• 5
Domains
• 34
Processes
• Maturity Model
Framework
• Self Assessment
Assessment
• RACI Chart
•R = Responsible, A =
Accountable, C =
Consulted, I = Informed
Roles &
Responsibilities
• Implementation Guide
RACI Chart
Framework: 5 Domains with 34 processes (ITU)
Maturity model: 5 levels for each Domain
RACI Chart: Responsible; Accountable;
Consulted; Informed
13. UN Office for Disarmament Affairs gohg@un.org
NATIONAL CYBER SECURITY MANAGEMENT SYSTEM: FRAMEWORK, MATURITY MODEL & IMPLEMENTATION GUIDE BY TAIEB DEBBAGH, PHD
Domain 1: Strategy and Policies (SP) Domain 3: Awareness and Communication (AC)
Process Description Process Description
SP1 CySec Strategy: Promulgate & endorse a National Cybersecurity Strategy AC1
Leaders in the Government: Persuade national leaders in the government of the
need for national action to address threats to and vulnerabilities of the CySec
through policy-level discussions
SP2
Lead Institutions: Identify a lead institutions for developing a national strategy, and 1
lead institution per stakeholder category
AC2
National Cybersecurity and Capacity: Manage National Cybersecurity and capacity at
the national level
SP3 CySec Policies: Identify or define policies of the CySec strategy AC3
Continuous Service: Ensure continuous service within each stakeholder and among
stakeholders
SP4
Critical Infrastructures: Establish & integrate risk management for identifying &
prioritizing protective efforts regarding CySec (CIIP)
AC4
National Awareness: Promote a comprehensive national awareness program so that
all participants—businesses, the general workforce, and the general population—secure
their own parts of cyberspace
SP5
Stakeholders: Identify the degree of readiness of each stakeholder regarding to
the implementation of CySec strategy & how stakeholders pursue the CySec
strategy & policies
AC5
Awareness Programs: Implement security awareness programs and initiatives for
users of systems and networks
Domain 2: Implementation and Organisation (IO) AC6
Citizens and Child Protection: Support outreach to civil society with special attention
to the needs of children and individual users
Process Description AC7
Research and Development: Enhance Research and Development (R&D) activities
(through the identification of opportunities and allocation of funds)
IO1
CySec Council: Define National Cybersecurity Council for coordination between all
stakeholders, to approve the CySec strategy
AC8
CySec Culture for Business: Encourage the development of a culture of security
in business enterprises
IO2
CySec Authority: Define Specific high level Authority for coordination among
cybersecurity stakeholders
AC9 Available Solutions: Develop awareness of cyber risks and available solutions
IO3
National CERT: Identify or establish a national CERT to prepare for, detect, respond to,
and recover from national cyber incidents
AC10 CySec Communication: Ensure National Cybersecurity Communication
IO4 Privacy: Review existing privacy regime and update it to the on-line environment Domain 4 :Compliance and Coordination (CC)
IO5 Laws: Ensure that a lawful framework is settled and regularly levelled Process Description
IO6
Institutions: Identify institutions with cybersecurity responsibilities, and procure
resources that enable CySec implementation
CC1
International Compliance & Cooperation: Ensure regulatory compliance with regional
and international recommendations, standards
IO7
National Experts and Policymakers: Identify the appropriate experts and
policymakers within government, private sector and university
CC2
National Cooperation: Identify and establish mechanisms and arrangements for
cooperation among government, private sector entities, university and ONGs at the
national level
IO8 Training: Identify training requirements and how to achieve them CC3
Private sector Cooperation: Encourage cooperation among groups from
interdependent industries (through the identification of common threats). Encourage
development of private sector groups from different critical infrastructure industries to
address common security interest collaboratively with government (through the
identification of problems and allocation of costs)
IO9
Government: Implement a cybersecurity plan for government-operated systems, that
takes into account changes management
CC4
Incidents Handling: Manage incidents through national CERT to detect, respond to,
and recover from national cyber incidents, through cooperative arrangement (especially
between government and private sector)
IO10
International Expertise: Identify international expert counterparts and foster
international efforts to address cybersecurity issues, including information sharing and
assistance efforts
CC5
Points of Contact: Establish points of contact (or CSIRT) within government,
industry and university to facilitate consultation, cooperation and information
exchange with national CERT, in order to monitor and evaluate CySec
performance in each sector
Domain 5: Evaluation and Monitoring (EM)
Process Description Process Description
EM1 CySec Observatory: Set up the CySec observatory EM3
CySec Assessment: Assess and periodically reassess the current state of
cybersecurity efforts and develop program priorities
EM2
Mechanisms for Evaluation: Define mechanisms that can be used to coordinate
the activities of the lead institution, the government, the private sector and civil
society, in order to monitor and evaluate the global CySec performance
EM4 CySec Governance: Provide National Cybersecurity Governance
14. UN Office for Disarmament Affairs gohg@un.org
Copyright OIC-CERT 2013
2005 (21-
23 Jun)
•Malaysia, Putrajaya
Formation of the OIC-CERT Task
Force led by Malaysia.
Annual Meeting of the IDB Board
of Governors.
2008 (18-
20 Jun)
•Uganda, Kampala
OIC Resolution 3/35-INF -
Collaboration of Computer
Emergency Response Team
(CERT) Among the OIC Member
Countries.
35th Session of the Council of
Foreign Ministers.
2009 (13-
15 Jan)
•Malaysia, Kuala Lumpur
KL 2009 Resolution -
Appointment of OIC-CERT SC.
Malaysia through CyberSecurity
Malaysia was elected as the 1st
Chair for 2009 – 2011 term.
OIC-CERT Annual Conference &
1st AGM
•Malaysia now Permanent
Secretariat
2009 (23-
25 May)
•Syria, Damascus
OIC Resolution 2/36 - INF -
Granting OIC-CERT An Affiliated
Institution Status
36th Session of the Council of
Foreign Ministers
ORGANISATION OF ISLAMIC COOPERATION-COMPUTER EMERGENCY RESPONSE TEAM
Mandate:
•Extract from Resolution of the 35th
Session of the Council of Foreign
Ministers, Kampala, Uganda:
•OIC-CERT will be a group dedicated
in providing support & response to
computer security incidents.
Mission
Statement:
•OIC-CERT is to provide a platform
for member countries to explore & to
develop collaborative initiatives &
possible partnerships in matters
pertaining to cyber security that shall
strengthen their self reliant in the
cyberspace
Objectives
•Strengthen the relationships
amongst CERTs of the OIC/ IDB
member countries
•Enhance information sharing in cyber
security field
•Prevent & reduce cyber-crimes
•Cultivate & foster education &
outreach ICT security programs
•Promote collaborative technology
research & development
•Provide cyber emergency channels
among member countries
15. UN Office for Disarmament Affairs gohg@un.org
DISCUSSION RESPONDING TO AN INCIDENT?
• Identify the technical
source – Do you have
the human & technical
capacity to confirm the
true origins of an
“attack?”
Technical
• Is the “alleged” activity a
violation of International
Norms &/ or Laws – Do you
know the laws & your rights?
Legal
• Does the nation-state
have the Political will
to make the accusation
– Can you accuse your
ally or creditor?
Political
DOMAINS OF ATTRIBUTION
16. UN Office for Disarmament Affairs gohg@un.org
EXERCISE 1: PHYSICAL ATTACK OF CERT
What should AIRLAND do?
FIRELAND
CERT
AIRLAND
CERT
FIRELAND
CERT has
been spying
on us….
We should
bomb them.
Military/
Intelligence
17. UN Office for Disarmament Affairs gohg@un.org
EXERCISE 2: CERT VS CERT
What should AIRLAND do?
FIRELAND
CERT
AIRLAND
CERT
Let’s use our
AIRLAND
CERT to
cyber attack
FIRELAND
CERT
Military/
Intelligence
18. UN Office for Disarmament Affairs gohg@un.org
Thank you, for
your attention
Terima kasih
kerana memberi
perhatian
Cám ơn vì sự
quan tâm của bạn
Oarkun Djeraan
ขอขอบคุณสำหรับ
ควำมสนใจของคุณ
Gracias por su
atención
សូមអរគុណចំព ោះការយកចិត្ត
ទុកដាក់របស់ពោកអនក
Sekian untuk
makluman
ຂອບໃຈສໍ າລັ ບຄວາມ
ສົ ນໃຈຂອງທ່ ານ
info@consultancyss.com
19. UN Office for Disarmament Affairs gohg@un.org
Day 2
Agenda
• Principles that state good practices & positive
duties for the purposes of international security
• Vulnerability Equities Process
• Global Norms Development Initiatives
• Norm Endorsements
• Implementation
• VEP Discussion
20. UN Office for Disarmament Affairs gohg@un.org
• Cooperate to increase stability & security in the use of
ICTs & to prevent harmful practices;
• Consider all relevant information in case of ICT
incidents;
• Consider how best to cooperate to exchange
information, to assist each other, & to prosecute
terrorist & criminal use of ICTs;
• Take appropriate measures to protect their critical
infrastructure;
• Respond to appropriate requests for assistance by other
states whose critical infrastructure is subject to
malicious ICT acts;
• Encourage responsible reporting of ICT vulnerabilities &
should share remedies to these.
States should:
PRINCIPLES THAT STATE GOOD PRACTICES & POSITIVE DUTIES FOR THE PURPOSES OF INTERNATIONAL SECURITY
Norm(j)
21. UN Office for Disarmament Affairs gohg@un.org
Keep them
secret for
offensive use
against the
government's
adversaries
Disclose them
to the public
to help
improve
general
computer
security
VULNERABILITY EQUITIES PROCESS
Source: Burton Group https://www.slideshare.net/shaharmaor/from-creeper-to-
stuxnet?from_action=save
GCSC “States should create procedurally transparent frameworks to assess whether & when to
disclose not publicly known vulnerabilities or flaws they are aware of in information systems &
technologies. The default presumption should be in favor of disclosure.”
GCSC Singapore Norms Package
22. UN Office for Disarmament Affairs gohg@un.org
Sources:
CCDCOE https://ccdcoe.org/2015-un-gge-report-major-players-recommending-norms-behaviour-highlighting-aspects-international-l-0.html
Samir Saran: https://www.orfonline.org/research/new-norms-for-a-digital-society/
WEF: https://www.weforum.org/system-initiatives/shaping-the-future-of-digital-economy-and-society
GLOBAL NORMS DEVELOPMENT INITIATIVES
Governmental Experts
(GGE) on
Developments in the
Field of Information &
Telecommunications in
the Context of
International Security
Cybersecurity,
Norms &
Values
Declaration
on
Responsible
States
Behavior in
Cyberspace
New
Norms
on
Digital
Society
System
Initiative
on
Shaping
the
Future of
Digital
Economy
& Society
Global
Commission
on the
Stability of
Cyberspace
Norm Design
• Identify digital governance
issues
• Form digital cooperation
networks
• Support networks through
digital cooperation platforms
Norm Implementation
• Develop norm design &
adoption capacity
• Provide a ‘norm exchange’
to connect communities
• Offer implementation
incentives
Norm Enforcement
• Develop norms into laws/
regulations
• Adjudicate/ resolve
disputes & conflicts
• Establish clear guard rails
for digital technologies
23. UN Office for Disarmament Affairs gohg@un.org
Copyright OIC-CERT 2013
547 like-
minded states
(62
Countries),
companies &
civil society
organizations
Norm to
protect the
public core of
the Internet
part of
ENISA’s
mandate
through the
EU
Cybersecurity
Act
Took effect
Thursday 27
June 2019
Tech Accord
made special
reference to
the norm to
avoid
tampering,
norm against
commandeeri
ng of ICT
devices into
botnets, & the
norm for
states to
create a VEP
Charter of Trust
•Ownership of
cyber & IT
security
•Responsibility
throughout the
digital supply
chain
•Security by
default
•User-centricity
•Innovation & co-
creation
•Education
•Certification for
critical
infrastructure &
solutions
•Transparency &
response
•Regulatory
framework
•Joint initiatives
UK
Surveillance
Camera code
of practice &
legal
requirements
• Surveillance
camera code
of practice
• Surveillance
camera
guidance,
tools &
templates
APPLICATION OF CYBER NORMS
24. UN Office for Disarmament Affairs gohg@un.org
IMPLEMENTATION
Immediate ask:
Read,
Understand,
Internalise,
Practice,
Improve,
Champion,
Own them
Institutional Mechanisms
UN Body
• Internet
Governance
Forum Plus?
▪ Distributed Co-
Governance
(COGOV)
architecture?
▪ Digital
Commons
Architecture?
Multi-
stakeholder
Institute
Regional
Commission
Widespread acceptance
Outreach &
Advocacy
Monitoring
Research
Convening
Utility/ Usage
Attribution
Possible/
difficult
Domain:
• Technical
• Legal
• Political
Political hot
potato
Codify in to
International Law
Ideal
“Cyber-criminals operate at the speed of light while law
enforcement moves at the speed of law.1”
1 Barry Raveendran Greene www.getit.org
25. UN Office for Disarmament Affairs gohg@un.org
Source https://www.semanticscholar.org/paper/The-U.S.-Vulnerabilities-Equities-Process%3A-An-Caulfield-
Ioannidis/74bf39809651aaa55a79b082c4fb3c6eccf0fb3c/figure/0
VEP DISCUSSION
Should a Vulnerabilities be disclosed?
If yes, then when – Producers/ Public?
Decriminalize Vulnerability Research!
Day 0
Day X Day Y
26. UN Office for Disarmament Affairs gohg@un.org
Thank you, for
your attention
Terima kasih
kerana memberi
perhatian
Cám ơn vì sự
quan tâm của bạn
Oarkun Djeraan
ขอขอบคุณสำหรับ
ควำมสนใจของคุณ
Gracias por su
atención
សូមអរគុណចំព ោះការយកចិត្ត
ទុកដាក់របស់ពោកអនក
Sekian untuk
makluman
ຂອບໃຈສໍ າລັ ບຄວາມ
ສົ ນໃຈຂອງທ່ ານ
info@consultancyss.com