SlideShare uma empresa Scribd logo

Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for critical internet resources security in the sadc region

Cade Zvavanjanja
Cade Zvavanjanja

Southern African Internet Governance Forum 2015 (SAIGF-15) Thematic Paper No. 7 “A Case for Multi-stakeholder partnerships for critical Internet resources security in the SADC Region” Produced by: Southern African Development Community (SADC) Secretariat Prepared by: Mr. Cade Zvavanjanja Abstract: With much of SADC‟s Member State‟s critical Internet resources being in the hands of both private and public sector, it seems a natural solution for industry, Government, civic society and private citizens to work together in ensuring it is both secure and resilient. This cooperation in the form of Multi-stakeholder Partnerships (MPs) is needed in and among Member States and at different times, depending on the environment, culture and legal framework. There is no common definition of what constitutes a MP addressing this area. Diversity is strength when making networks and systems resilient, yet there also exist a need for interworking and a common understanding, especially when making a case for SADC view. There is also a need for a global view as there is a growing awareness for a truly global approach to Critical Internet resources security (CIRS). No country can create a CIRS approach in isolation, as there are no national boundaries on the Internet. The paper makes a case for MPs for CIRS in SADC while addressing the Why, Who, How, What and When questions associated with establishing and maintaining MPs for CIRS in SADC. It uses data from both public and private sector stakeholders across 14 SADC countries. This is not a prescriptive guide, but has a focus on clarity of purpose and approach so that stakeholders can easily choose those aspects that will add value to their endeavours in establishing and maintaining MPs.

Tecnologia
1 de 15
Baixar para ler offline
1 | P a g e Southern African Internet Governance Forum 2015 (SAIGF-15) Thematic Paper No. 7 “A Case for Multi-stakeholder partnerships for critical Internet resources security in the SADC Region” Produced by: Southern African Development Community (SADC) Secretariat Prepared by: Mr. Cade Zvavanjanja Table of Contents 1. Abstract...........................................................................................................................................2 2. Introduction ....................................................................................................................................2 3. Background of CIRs .........................................................................................................................3 4. Current CIR Global Security Model .................................................................................................4 4.1 From Table 1: The following observations can be made:.............................................................7 4.2 Current Needs for CIRS in SADC: Interpretation of the observations from Table 1: ..............7 5. Target Stakeholders Analysis ..........................................................................................................8 6. A Multi-stakeholder Partnership Model.......................................................................................11 7. Limits, Risks and Side Effects of Multi-stakeholder Partnerships.................................................12 8. Lessons Learnt...............................................................................................................................13 9. Conclusion.....................................................................................................................................13 10. Internet References (Links) for Further Reading ......................................................................14
2 | P a g e 1. Abstract With much of SADC‟s Member State‟s critical Internet resources being in the hands of both private and public sector, it seems a natural solution for industry, Government, civic society and private citizens to work together in ensuring it is both secure and resilient. This cooperation in the form of Multi-stakeholder Partnerships (MPs) is needed in and among Member States and at different times, depending on the environment, culture and legal framework. There is no common definition of what constitutes a MP addressing this area. Diversity is strength when making networks and systems resilient, yet there also exist a need for interworking and a common understanding, especially when making a case for SADC view. There is also a need for a global view as there is a growing awareness for a truly global approach to Critical Internet resources security (CIRS). No country can create a CIRS approach in isolation, as there are no national boundaries on the Internet. The paper makes a case for MPs for CIRS in SADC while addressing the Why, Who, How, What and When questions associated with establishing and maintaining MPs for CIRS in SADC. It uses data from both public and private sector stakeholders across 14 SADC countries. This is not a prescriptive guide, but has a focus on clarity of purpose and approach so that stakeholders can easily choose those aspects that will add value to their endeavours in establishing and maintaining MPs. KEY WORD: Critical Internet Resources, Internet Governance, Multi-stakeholder, Security, Resilience, SADC, Partnerships. 2. Introduction Since the inception of the World Summit on the Information Society (WSIS) in 2003, the debate over “governance” of “critical Internet resources” (CIR) has escalated. Although WSIS produced a consensus agreement that did not call for major changes to the structure of international Internet governance, criticism of the current arrangements has continued, and governance of CIR was a central theme of the Rio Internet Governance Forum (IGF) 2015. The issue of CIR has also been of interest in the SADC region. With much of SADC‟s Member State‟s critical Internet resources being in the hands of both private and public sector, it seems a natural solution for industry, Government and civic society to work together in ensuring it is both secure and resilient. This cooperation in the form of Multi-stakeholder Partnerships (MPs) has evolved in many Member States and at different times, depending on the environment, culture and legal framework. Securing the Critical Internet Resources is an on-going challenge for operators that require collaboration across administrative boundaries. A lot of attention has been given in recent years to securing the Domain Name System through a technology called DNSSEC1 and Resource Public Key Infrastructure RPKI2 . However, in the last couple of years, the attention has shifted to the security of the Internet routing system and the best practices adopted by network operators around the globe in this 1 http://www.Internetsociety.org/deploy360/wp-content/uploads/2015/06/cctlddnssec-2015-06-19.pdf 2 https://www.arin.net/resources/rpki/
3 | P a g e area. The main questions these efforts are trying to answer are: is your network authorised to use resources such as IP addresses? Do my packets travel through the advertised path or are diverted on their way? These problem statements may sound too technical for the audience but in reality they can quickly be converted in real business impact. Unauthorised claiming of network resources are proven to cause downtime not only for one web server but to complete networks3 . Particularly, imagine a phishing attack where the IP address, the domain name and the TLS certificate are legitimate but you just interacting with the wrong network. The hijack of IP addresses is normally due to bad operational practices (basically miss- configurations that leak to the global Internet) but it is also suspicious of playing a role in SPAM and other sensitive areas in security4 . The paper makes a case for MPs in SADC while addressing the Why, Who, How, What and When questions associated with creating and maintaining MPs for CIRS in SADC .The paper starts with a section on understanding the problems, which the MP aims to address. To help the reader, a list of problems which existing MPs have addressed is provided when answering the „why‟ question. This then leads onto the identified Good Practice observed in addressing these problems. The paper highlights recommendations, observations and, where appropriate. The papers analysis shows that despite the large number and apparent diversity, there are three main approaches taken by MPs in addressing the problems of security and resilience of CIRs. These have been termed Prevention Focused MPs, Response Focused MPs and Umbrella MPs, which will be discussed in the paper. 3. Background of CIRs Part of the outcome of the second phase of the WSIS, Internet Governance was defined in paragraph 34 of the Tunis Agenda as: “the development and application by Governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet.” Within this definition, Critical Internet Resources (CIRs) was referenced in paragraph 58 of the Tunis Agenda: “We recognise that Internet governance includes more than Internet naming and addressing. It also includes other significant public policy issues such as, inter alia, critical Internet resources, the security and safety of the Internet, and developmental aspects and issues pertaining to the use of the Internet.”5 In the view of The Center for Democracy & Technology (CTD)6 , the following can be considered critical to achieving the vision of a widely accessible, affordable, open, and user controlled Internet: • Sufficient IP addressing numbers; • Affordable, easily obtained domain names o Including IDN - domain names in non-Latin characters; • Reliable root name servers; • Stable but extensible protocols and standards; 3 http://blogs.cisco.com/sp/securing-critical-Internet-infrastructure-an-rpki-case-study-in-ecuador 4 https://www.ripe.net/publications/news/industry-developments/youtube-hijacking-a-ripe-ncc-ris-case-study 5 http://www.itu.int/en/ITU-T/ipv6/Pages/wsisdocs.aspx 6 https://cdt.org/blog/speak-up-on-the-iana-transition-and-icann-accountability/
4 | P a g e • Bandwidth of Backbone; • Accessible IXP services o Last mile (PSTN, Cable, Wireless, BOP); • Policies supporting trust o Privacy o Security o Freedom of expression o Anti-fraud, anti-crime • Affordable end-point access devices (hardware – computers but also mobile phones) o Includes public access points; • Know how – human capacity; and • Electricity. This broad list covers factors ranging from those that are unique to the Internet (IP addresses) to those that are not (privacy laws and electricity). It also ranges from those that are global in nature (domain names) to those that are largely local in nature (electricity). Others share global and local aspects (anti-fraud). But it should be apparent that where one stands on the definition of what is a “critical” Internet resource depends to a large degree on where one lives (geographically). To many in SADC, bandwidth and electrical power, while neither unique to the Internet nor globally regulated, are critical, overshadowing concerns about, for example, new top level domain names. Defining CIR broadly runs the risk of diluting and confusing the discussion over Internet governance and development. On the other hand, defining CIR as narrowly confined to IP addresses and domain names could divert attention from the key barriers to Internet development in many countries, including still-monopolized communications infrastructures, burdensome licensing schemes, out-dated regulatory systems, limits on spectrum use, and repression of speech, as well as more mundane concerns like hardware and electricity. Moreover, defining CIR as IP addresses and domain names could lead to the misimpression that ICANN7 and the addressing registries are the sole repositories of Internet governance and bear the responsibility for addressing the full range of barriers to Internet development. 4. Current CIR Global Security Model Since its inception, the Internet has been governed. This governance has been exercised by users, who choose and create content to a degree not possible in traditional media; by corporations, though peering agreements and other contractual arrangements for exchange of traffic; by national Governments through their state owned or regulated communications infrastructures; by international treaty organizations like the WTO, which regulates various aspects of trade in communications services, and WIPO, which sets rules for intellectual property; and by non-Governmental standards bodies that develop the protocols and other technical standards, which often embody policy choices affecting individual interests. One way to map Internet governance is as follows, using axes representing the degree of Governmental involvement and the spectrum between individual choices and international institutions8 : Diagram 1: Internet Governance Map: 7 ibid 8 https://cdt.org/files/pdfs/20071114Internet%20gov.pdf
5 | P a g e Adapted from: The Center for Democracy & Technology9 Looking at the critical Internet resources identified above, we see a range of governance bodies: • Addressing numbers – IANA and RIRs; • Domain names – ICANN, TLD registries, including ccTLD registries; • Protocols – IETF, W3C; • Standards – ITU, national standards agencies; • Bandwidth – national Governments; • Exception backbone – largely private contract; • Policies supporting trust – national Governments o International norms – EU, OECD, APEC; • Access devices – national Governments; and • Electricity– national Governments. What is notable about this list is that some of the critical Internet resources currently posing the greatest barriers to Internet development, such as bandwidth, are governed by national Governments, while some of the most successful forms of Internet governance, such as the development and maintenance of the TCP/IP suite of protocols, are exercised by a non-Governmental, unregulated, voluntary entity.10 9 ibid 10 https://cdt.org/files/pdfs/20071114Internet%20gov.pdf
6 | P a g e 5. SADC MEMBER STATES CIRS STATUS QUO: Table 1: An analysis of selected 9 components of CIRS in SADC state Country National CIRT.11 Cyber security standards.12 Certificati on.13 Policy14 Governance roadmap15 Responsible agency 16 Criminal legislation17 Regulation 18 benchmarki ng 19 Angola No No No No No No Yes Yes No Botswana No No No No No Yes Yes Yes No DRC No No No No No No No No No Lesotho No No No No No Yes No No No Madagascar No No No No No No Yes No No Malawi No No No Yes No Yes Yes (Bill) No No Mauritius Yes Yes Yes Yes Yes Yes Yes Yes Yes Mozambique No No No No No No No Yes No Namibia No No No No No No Yes No No Seychelles No No No No No No Yes Yes No SA Yes Yes No Yes Yes Yes Yes No No. Swaziland No No No No No Yes No No No Tanzania Yes Yes No No No No Yes Yes No Zambia Yes No No Yes No No Yes Yes No Zimbabwe No No No (draft) No (draft) No (draft) Yes Yes Yes (Bills) No Data Adapted From: ITU (2015) Cyber security index & cyberwellness profiles cyber security 11 Officially recognized national CERT 12 Officially recognized national (and sector specific) cyber security frameworks for implementing internationally recognized cyber security standards. 13 Officially approved national (and sector specific) cyber security frameworks for the certification and accreditation of national agencies and public sector professionals 14 officially recognized national cyber security strategy (Policy) 15 National governance roadmap for cyber security 16 Responsible agency for cyber security 17 Criminal legislation for cybercrime 18 Officially recognized regulation and compliance requirement pertaining to cyber security. 19 Officially recognized national or sector-specific benchmarking exercises or referential used to measure cyber security development.
7 | P a g e 4.1 From Table 1: The following observations can be made: • Eleven (11) out of fifteen (15) Member States have no CERT; • Only two (2) out of fifteen (15) Member States have an officially recognized national (and sector specific) cyber security frameworks for implementing internationally recognized cyber security standards; • Only one (1) out of fifteen (15) Member States has an officially approved national (and sector specific) cyber security frameworks for the certification and accreditation of national agencies and public sector professionals; • Eleven (11) out of fifteen (15) Member States have no officially recognized national cyber security strategy; • Two (2) out of fifteen (15) Member States have a national governance roadmap for cyber security; • Half of the Member States have no official agency responsible for cyber security; • Eleven (11) out of fifteen (15) Member States have Criminal legislation for cybercrime; • Eight (8) of fifteen (15) Member States have an officially recognized regulation and compliance requirement pertaining to cyber security; • Only one (1) Member State has an officially recognized national or sector- specific benchmarking exercises or referential used to measure cyber security development; and • Mauritius is the only country with all the nine components in place. 4.2 Current Needs for CIRS in SADC: Interpretation of the observations from Table 1: • SADC is currently challenged and has limited institutional, technical and legal measures to effectively secure CIR; • There is need of a new holistic approach among SADC Member States to deal with CIRS; • There is need of Legal measures which allow a nation state to set down the basic response mechanisms to breach: through investigation and prosecution of crimes and the imposition of sanctions for non-compliance or breach of law; • The urgent need for establishment of a national CIRT (Computer Incident Response Team), CERT (Computer Emergency Response Team) or CSIRT (Computer Security incident Response Team) which provides the capabilities to identify, defend, respond and manage cyber threats and enhance cyberspace security in the nation state; • The need for development of a policy to promote cyber security to be recognized as a top priority. A national strategy for Security of Network and Information Systems should maintain resilient and reliable information infrastructure and aim to ensure the safety of citizens; protect the material and intellectual assets of citizens, organizations and the State; prevent cyber- attacks against critical infrastructures; and minimize damage and recovery times from cyber-attacks; • A roadmap for governance in cyber security is needed which is generally established by a national strategy /policy for cyber security, and identifies key stakeholders. The development of a national policy framework is a top priority in developing high-level governance for cyber security. The national policy
8 | P a g e framework must take into account the needs of national critical information infrastructure protection. It should also seek to foster information-sharing within the public sector, and also between the public and private sectors; • A responsible agency for implementing a national cyber security strategy/policy can include permanent committees, official working groups, advisory councils or cross-disciplinary centers are needed in SADC. Most national agencies will be directly responsible for watch and warning systems and incident response, and for the development of organizational structures needed for coordinating responses to cyber-attacks; and • There is need of an officially recognized national or sector-specific benchmarking exercises or referential used to measure cyber security development. For example, based on ISO/IEC 27002- 2005, a national cyber security standard (NCSec Referential) can help nation states respond to specify cyber security requirements. This referential is split into five domains: NCSec Strategy and Policies; NCSec Organizational Structures; NCSec Implementation; National Coordination; Cyber security Awareness Activities. 5. Target Stakeholders Analysis Together, Government and industry can develop a common understanding of their respective roles and responsibilities related to CIRS. The Government can provide coordination and leadership of protection efforts. For example, continuity of Government requires ensuring the security and availability of Governments‟ cyber and physical infrastructure necessary to support its essential missions and services. In addition, the Government can play a key coordinating role during a catastrophic event or it can help in instances when industry lacks sufficient resources to respond to an incident. The Government can promote and encourage voluntary private sector efforts to improve security, including establishing the policies and protocol needed to share timely analytical and useable information about threats, and providing incentives for industry to enhance security beyond what their corporate interests demand. Finally, the Government can sponsor and fund studies and research and development to improve security processes and tools. A fundamental element of successful collaboration between Government and industry is trust. Trust is necessary for establishing, developing, and maintaining sharing relationships between Government and industry. Robust collaboration and information exchange between industry and Government enhances situational awareness, facilitates cooperation on strategic issues, helps manage cyber risk and supports response and recovery activities. Through improved information sharing and analysis, the Government and industry will be better equipped to identify threats and vulnerabilities, and to exchange mitigating and preventive tactics and resources. The table below gives a breakdown of some interests, capabilities and limitation of key target stakeholders:
9 | P a g e Table 2: CIRS STAKEHOLDER ANALYSIS20 Stakeholder Group Interest Capabilities Limitations Government in role of regulator Want reliability and protection to ensure critical Internet resources protection Depends on the integrity and protection of Internet transactions to protect the privacy of citizens and economic wellbeing of the country Can provide a necessary legal enforcement role for cyber security Can also provide a platform for international action and outreach Can provide incentives to encourage greater participation in CIRS Have difficulty coordinating response across large bodies Have fractured and diffuse authority Are hindered in ability to share information by classification processes. Security provision may conflict in some cases with privacy concerns Telecommunications companies, hardware and software provides, Internet service providers Want to deliver services and protect the privacy of customers Want to be reliable suppliers; optimal performance is just as important as permanent availlability, pehaps more so Must be assured that regulation will not stiffle development and disdvantage them ion econmomic compertation Have specialised technicians able to identify abnormal activity quickly Are well- positioned to block “downstream” attacks Are well-placed to distribute security software to their customers and enforce standards through connection agreement with subscribers Are reticent to involve themselves too deeply in security info- sharing due to privacy and liability issues Would likely be unwilling to incur higher costs for security 20 ENISA (2011) Cooperative Models for Effective Public Private Partnerships Desktop Research Report
10 | P a g e Users: Large corporations, small businesses, individuals, Government and private organisations and academia Individuals Want accessibility on demand Need greater protection of personally identifiable information and personal computers Are suspicious of Government role on the Internet and would require strict rules and strong oversight for regulators Have large number of personal machines that could possibly be used to voluntarily collect and distribute information regarding potential or actual attacks Are often unaware of Cyber security risks Are untrained and unaccustomed to guarding against attacks Government Depends on availability of the Internet to provide public services, communicate, store and access vast amounts of information to support national security operations Have large networks that may be already tracked for threat information, a useful dataset for threat analysis Adopt newer, safer technology slowly Does not coordinate response well Business ( Small businesses fall in closer with individual users) Want accessibility on demand Have strong interest in secure networks to advance e- business and safeguard communications and protect proprietary and competitive data. Must be assured regulation will not adversely affect business and innovation Often have sophisticated security organisations or contract out security providers Share information through industry trade associations, standards organisations and Government liaisons Participate in development of standards Adopt new technology and practices more slowly as the size of the institution increases. Have limited participation in info sharing due to privacy and liability concerns
11 | P a g e 6. A Multi-stakeholder Partnership Model Since the nation‟s cyber infrastructure is not Government owned, a partnership of Government, corporate and private stakeholders is required to secure the Internet. Achieving a satisfactory level of CIRS is not an easy task, but the experience accumulated by several successful initiatives demonstrates that, in order to be effective, any CIRS initiative needs to involve several stakeholders. More than that, the reality is that more often than not, the security measures need to be taken by systems administrators, network operators or security professionals in their own networks. However, cooperation with others is key to be able to understand the threats and better evaluate the effectiveness of their actions. A multi-stakeholder process must have the following characteristics:  Involvement of stakeholders in the learning process;  Stakeholders work towards a common goal;  Work involves different sectors and scale;  The objective is focused to bring about change;  Deal with structural changes;  Agreements are created based on cooperation;  Stakeholders deal with power and conflict consciously; and  Bottom-up and top-down strategies are integrated in governance and policy making. While a CIRS partnership is different from others in several key ways, the traditional models have value in defining effective partnership practices. An effective partnership has: a. A representative group of members, large enough to be sufficiently inclusive, but small enough to retain the ability to act quickly; b. A circumscribed role for Government with specific tasks and responsibilities laid out clearly. Industry and private groups should take the lead; and c. Properly motivated members with significant interest and stakes connected to the problem. An effective MP for CIRS would provide the abilities to detect threats and dangerous or anomalous behaviours, to create more secure network environments through better, standardized security programs and protocols and to respond with warnings or technical fixes as needed. Here are some examples:  Utilize a trust model; the scope of the working group needs to be a manageable size to be effective and include those directly affected, and yet large enough to include a broader universe of those impacted;  Incorporate a consensus model without hierarchy to allow the group to adapt and respond to fast changing conditions;  Gain the participation and support of key governing and regulatory bodies; and  Formalize communications with stakeholder groups vs. relying on social networks. These four points bring to light issues like the rapid change of the threat landscape, the need for rapid communication, the involvement and support of Governments and the fact that several stakeholders need to cooperate.
12 | P a g e Network Operator Groups (NOGs) and Regional Internet Registries (RIRs) should be more involved with security issues. There are some areas like routing security (and newly proposed protocols like RPKI or SBGP) or DNSSEC that need worldwide adoption to be effective. RIRs could also work more closely with the CERTs community to improve the WHOIS system to help the incident handling process. Software vendors need to become involved and be more pro-active; after all, most of the security problems we face today are software-related problems. The real challenge is to improve software security and get the software industry to a more mature level. The Governments, including military and intelligence sectors, in addition to traditional security and defense strategies, need to improve their awareness of the multi- stakeholder nature of the Internet and the vital importance of the cooperation to address security threats. They need to participate more in the national and international security forums and improve cooperation with other stakeholder 7. Limits, Risks and Side Effects of Multi-stakeholder Partnerships The basic problem is that assessments of the advantages of multi-stakeholder partnerships are for the most part not based on empirical research, and the widely- held notion that there is no alternative is often no more than a profession of faith. Multi-stakeholder partnerships in fact bring a number of risks and side effects with them for the national Governments and the stakeholders involved, which must be considered in any careful analysis of the approach21 :  Growing influence of the business sector in the political discourse and agenda setting. Critics fear that partnership initiatives allow transnational corporations and their interest groups growing influence over agenda setting and political decision-making by Governments;  Risks to reputation: choosing the wrong partner;  Distorting competition and the pretence of representativeness. These partnerships can distort competition, because they provide the corporations involved with an image advantage, and also support those involved in opening up markets and help them gain access to Governments. The selection of partners is also problematic in many multi-stakeholder initiatives. Often, the initiator of a partnerships rather than respective stakeholder groups nominates representatives to the partnership bodies;  Proliferation of partnership initiatives and fragmentation of global governance. The explosive growth in partnerships can lead to isolated solutions, which are poorly coordinated, contributes to the institutional weakening of SADC and its specialised agencies, and hinders comprehensive development strategies;  Unstable financing – a threat to the sufficient provision of public goods. The provision of public goods becomes increasingly privatised, it will become dependent on voluntary and ultimately unpredictable channels of financing through benevolent individuals; 21 Jens Martens (2007) Multi-stakeholder Partnerships – Future Models of Multilateralism
13 | P a g e  Dubious complementarity – Governments escape responsibility. Instead of considering partnership initiatives as complementary to inter-Governmental processes, they are often promoted as replacements of inter-Governmental agreements.  Selectivity in partnerships – governance gaps remain. Partnerships only develop selectively and concentrate on problems in which technical solutions lead to relatively quick wins (vaccination programmes, promoting renewable energy systems). Long-term structural problems such as building up a health system or overcoming gender inequality are only peripherally touched; and  Trends toward elite models of global governance - weakening of representative democracy. Inasmuch as partnerships give all participating actors equal rights, the special political and legal position occupied legitimately by public bodies (Governments and parliaments) is side-lined. 8. Lessons Learnt As stated before, achieving a satisfactory level of CIRS is not an easy task, and the multi-stakeholder initiatives previously discussed are good examples of frameworks that can effectively deal with cyber security current and emerging issues. Therefore, it is recommended that all SADC national and international organizations involved with CIR, for instance, Local Governments, RIRs, Africa Union, United Nations, ISOC Chapters, AFRINIC, among others, should take the following into consideration:  The experience accumulated by the several successful initiatives described in this contribution demonstrates that, in order to be effective, any CIRS initiative depends on cooperation among different stakeholders, and it can't be achieved via a single organization or structure;  There are stakeholders that still need to become more involved, like network operators and software developers;  Governments, including military and intelligence sectors, in addition to traditional security and defense strategies, need to improve their awareness of the multi-stakeholder nature of the Internet and the vital importance of cooperation to address security threats. They need to participate more in the national and international security forums and improve cooperation with other stakeholders; and  There is room and a need for new forums and initiatives, but they should not replace existing structures. Any new initiative should aim at leveraging and improving the multi-stakeholder structures already in place today. 9. Conclusion MPs which address security and resilience have evolved in many countries as an efficient means of protecting their CIRs. Each sector, public and private, brings its own, complementary strengths to the table, but such structures come with challenges in their formation, management, and effectiveness. The paper has provided a case for MPs in SADC. This paper sets out the principles, which underpin MPs and considers the range of partnership options available. It also describes some of the ways in which they can be used, and advises on the issues, which need
14 | P a g e to be addressed when implementing them. These should be of assistance to those setting up or evolving similar partnership arrangements and help optimise the chances of success. In addition, the common understanding portrayed in this Guide will lead to further opportunities for inter-working and collaboration.22 10. Internet References (Links) for Further Reading (Disclaimer: In as much as care has been taken to verify and check the links below, The author nor the sponsors of this paper, nor the host of the event, do not take an responsibility of the links provided below as they belong to independent entities, hence we recommend further care to be taken and also note that you will follow them at your own decision and risk)  http://www.osisa.org/sites/default/files/security_sector.pdf  https://www.itu.int/en/ITUD/Cybersecurity/Documents/SADC%20Model%20La w%20Cybercrime.pdf  https://web.nsrc.org/workshops/2015/pacnog17-ws/raw- attachment/wiki/Track3Agenda/DNS-ccTLD-1.pdf  http://www.gov.bw/Global/MTC/ICTPitso/Day1/Cybersecurity%20overview%2 0-%20Presentation.pdf  http://surface.syr.edu/it_etd/65/  https://www.intgovforum.org/cms/Rio_Meeting/IGF2- Critical%20Internet%20Resources-12NOV07.txt  http://css.escwa.org.lb/ictd/1301/5.pdf  http://friendsoftheigf.org/session/69  http://friendsoftheigf.org/session/73  https://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure  https://www.arin.net/resources/rpki/  http://blogs.cisco.com/sp/securing-critical-Internet-infrastructure-an-rpki-case- study-in-ecuador  http://blogs.cisco.com/perspectives/securing-critical-Internet-infrastructure-a- rpki-case-study-in-ecuador  https://www.ripe.net/publications/news/industry-developments/youtube- hijacking-a-ripe-ncc-ris-case-study  http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html  http://www.Internetsociety.org/deploy360/dnssec/?gclid=CPT40Laiw8kCFQke wwodvFAAhw  http://www.Internetsociety.org/deploy360/wp- content/uploads/2014/10/DNSSEC-Fact-Sheet-English-v1.pdf  http://stats.labs.apnic.net/dnssec  http://www.Internetsociety.org/deploy360/wp- content/uploads/2015/06/cctlddnssec-2015-06-19.pdf  http://stats.labs.apnic.net/ipv6  http://www.Internetsociety.org/deploy360/securing-bgp/statistics/  https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions  http://stats.labs.apnic.net/dnssec/XK?c=XK&x=1&g=1&r=1&w=1  https://www.isc.org/downloads/bind/dnssec/ 22 ENISA (2011) Cooperative Models for Effective Public Private Partnerships Desktop Research Report
15 | P a g e  https://ripe70.ripe.net/presentations/102-RIPE_2015.pdf  http://www.wired.com/images_blogs/threatlevel/files/nist_on_bgp_security.pdf  http://www.patrickmcdaniel.org/pubs/td-5ugj33.pdf  http://wsms1.intgovforum.org/content/no84-how-can-cooperation-and-multi- stakeholder-collaboration-impact-global-fight-against-cyb

Recomendados

Two years of good MANRS
Two years of good MANRSTwo years of good MANRS
Two years of good MANRSAPNIC
 
Internet Governance by Its History (1966-2000)
Internet Governance by Its History (1966-2000)Internet Governance by Its History (1966-2000)
Internet Governance by Its History (1966-2000)Jeremy Pesner
 
интернет
интернетинтернет
интернетБулахтин Владислав
 
Module 5 IG Presentation Iran 1
Module 5 IG Presentation Iran 1Module 5 IG Presentation Iran 1
Module 5 IG Presentation Iran 1Habib Noroozi
 
Introduction to Internet Governance and Cyber-security
Introduction to Internet Governance and Cyber-securityIntroduction to Internet Governance and Cyber-security
Introduction to Internet Governance and Cyber-securityGlenn McKnight
 
Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...
Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...
Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...Vincent Mwando
 
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelCyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelPaul Di Gangi
 
Internet
InternetInternet
InternetTughral Yamin
 

Recomendados

Two years of good MANRS
Two years of good MANRSTwo years of good MANRS
Two years of good MANRSAPNIC
 
Internet Governance by Its History (1966-2000)
Internet Governance by Its History (1966-2000)Internet Governance by Its History (1966-2000)
Internet Governance by Its History (1966-2000)Jeremy Pesner
 
интернет
интернетинтернет
интернетБулахтин Владислав
 
Module 5 IG Presentation Iran 1
Module 5 IG Presentation Iran 1Module 5 IG Presentation Iran 1
Module 5 IG Presentation Iran 1Habib Noroozi
 
Introduction to Internet Governance and Cyber-security
Introduction to Internet Governance and Cyber-securityIntroduction to Internet Governance and Cyber-security
Introduction to Internet Governance and Cyber-securityGlenn McKnight
 
Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...
Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...
Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...Vincent Mwando
 
Cyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelCyber Critical Infrastructure Framework Panel
Cyber Critical Infrastructure Framework PanelPaul Di Gangi
 
Internet
InternetInternet
InternetTughral Yamin
 
Vincent O. Mwando - Encryption
Vincent O. Mwando - EncryptionVincent O. Mwando - Encryption
Vincent O. Mwando - EncryptionVincent Mwando
 
ISOC Update
ISOC UpdateISOC Update
ISOC UpdateAPNIC
 
Indonesia National Cyber Security Strategy
Indonesia National Cyber Security StrategyIndonesia National Cyber Security Strategy
Indonesia National Cyber Security StrategyICT Watch
 
Resume of ID-IGF National Dialogue 2014
Resume of ID-IGF National Dialogue 2014Resume of ID-IGF National Dialogue 2014
Resume of ID-IGF National Dialogue 2014IGF Indonesia
 
COMMON GOOD DIGITAL FRAMEWORK
COMMON GOOD DIGITAL FRAMEWORKCOMMON GOOD DIGITAL FRAMEWORK
COMMON GOOD DIGITAL FRAMEWORKBoston Global Forum
 
Net Neutrality Capacity Building Seminar
Net Neutrality Capacity Building SeminarNet Neutrality Capacity Building Seminar
Net Neutrality Capacity Building SeminarExcel Asama
 
Governance & Ediscovery
Governance & EdiscoveryGovernance & Ediscovery
Governance & EdiscoveryLouise Spiteri
 
Hacking3e ppt ch04
Hacking3e ppt ch04Hacking3e ppt ch04
Hacking3e ppt ch04Skillspire LLC
 
Review of Previous ETAP Forums - Deepak Maheshwari
Review of Previous ETAP Forums - Deepak MaheshwariReview of Previous ETAP Forums - Deepak Maheshwari
Review of Previous ETAP Forums - Deepak Maheshwarivpnmentor
 
Managing social software applications in the corporate and public sector envi...
Managing social software applications in the corporate and public sector envi...Managing social software applications in the corporate and public sector envi...
Managing social software applications in the corporate and public sector envi...Louise Spiteri
 
Introduction to IETF and Standardisation Process
Introduction to IETF and Standardisation ProcessIntroduction to IETF and Standardisation Process
Introduction to IETF and Standardisation ProcessVinayak Hegde
 
CTO Cybersecurity Forum 2013 Mario Maniewicz
CTO Cybersecurity Forum 2013 Mario ManiewiczCTO Cybersecurity Forum 2013 Mario Maniewicz
CTO Cybersecurity Forum 2013 Mario ManiewiczCommonwealth Telecommunications Organisation
 
wp-us-cities-exposed
wp-us-cities-exposedwp-us-cities-exposed
wp-us-cities-exposedNumaan Huq
 
Major Essay_ US-China Relations_FINAL
Major Essay_ US-China Relations_FINALMajor Essay_ US-China Relations_FINAL
Major Essay_ US-China Relations_FINALLouise Collins
 
BlockChain_Brochure
BlockChain_BrochureBlockChain_Brochure
BlockChain_BrochureThi Dang
 
Through a Router Darkly - Remote Investigation of Internet Censorship
Through a Router Darkly - Remote Investigation of Internet CensorshipThrough a Router Darkly - Remote Investigation of Internet Censorship
Through a Router Darkly - Remote Investigation of Internet CensorshipJoss Wright
 
Chapter 3.docx
Chapter 3.docxChapter 3.docx
Chapter 3.docxAmir Khan
 
ION Hangzhou - About IETF
ION Hangzhou - About IETFION Hangzhou - About IETF
ION Hangzhou - About IETFDeploy360 Programme (Internet Society)
 
Blockchain final 25112015 v1.1
Blockchain final 25112015 v1.1Blockchain final 25112015 v1.1
Blockchain final 25112015 v1.1Andrew Coakley
 
RefugeeDo -A Hand to the Deserving.
RefugeeDo -A Hand to the Deserving.RefugeeDo -A Hand to the Deserving.
RefugeeDo -A Hand to the Deserving.IRJET Journal
 
V5I6-0559
V5I6-0559V5I6-0559
V5I6-0559Sudhanshu Pandey
 
Backgrounder wtpf-13-ixps-en
Backgrounder wtpf-13-ixps-enBackgrounder wtpf-13-ixps-en
Backgrounder wtpf-13-ixps-enMeshingo Jack
 

Mais conteúdo relacionado

Mais procurados

Vincent O. Mwando - Encryption
Vincent O. Mwando - EncryptionVincent O. Mwando - Encryption
Vincent O. Mwando - EncryptionVincent Mwando
 
ISOC Update
ISOC UpdateISOC Update
ISOC UpdateAPNIC
 
Indonesia National Cyber Security Strategy
Indonesia National Cyber Security StrategyIndonesia National Cyber Security Strategy
Indonesia National Cyber Security StrategyICT Watch
 
Resume of ID-IGF National Dialogue 2014
Resume of ID-IGF National Dialogue 2014Resume of ID-IGF National Dialogue 2014
Resume of ID-IGF National Dialogue 2014IGF Indonesia
 
Net Neutrality Capacity Building Seminar
Net Neutrality Capacity Building SeminarNet Neutrality Capacity Building Seminar
Net Neutrality Capacity Building SeminarExcel Asama
 
Governance & Ediscovery
Governance & EdiscoveryGovernance & Ediscovery
Governance & EdiscoveryLouise Spiteri
 
Review of Previous ETAP Forums - Deepak Maheshwari
Review of Previous ETAP Forums - Deepak MaheshwariReview of Previous ETAP Forums - Deepak Maheshwari
Review of Previous ETAP Forums - Deepak Maheshwarivpnmentor
 
Managing social software applications in the corporate and public sector envi...
Managing social software applications in the corporate and public sector envi...Managing social software applications in the corporate and public sector envi...
Managing social software applications in the corporate and public sector envi...Louise Spiteri
 
Introduction to IETF and Standardisation Process
Introduction to IETF and Standardisation ProcessIntroduction to IETF and Standardisation Process
Introduction to IETF and Standardisation ProcessVinayak Hegde
 
wp-us-cities-exposed
wp-us-cities-exposedwp-us-cities-exposed
wp-us-cities-exposedNumaan Huq
 
Major Essay_ US-China Relations_FINAL
Major Essay_ US-China Relations_FINALMajor Essay_ US-China Relations_FINAL
Major Essay_ US-China Relations_FINALLouise Collins
 
BlockChain_Brochure
BlockChain_BrochureBlockChain_Brochure
BlockChain_BrochureThi Dang
 
Through a Router Darkly - Remote Investigation of Internet Censorship
Through a Router Darkly - Remote Investigation of Internet CensorshipThrough a Router Darkly - Remote Investigation of Internet Censorship
Through a Router Darkly - Remote Investigation of Internet CensorshipJoss Wright
 
Chapter 3.docx
Chapter 3.docxChapter 3.docx
Chapter 3.docxAmir Khan
 

Mais procurados (18)

Vincent O. Mwando - Encryption
Vincent O. Mwando - EncryptionVincent O. Mwando - Encryption
Vincent O. Mwando - Encryption
 
ISOC Update
ISOC UpdateISOC Update
ISOC Update
 
Indonesia National Cyber Security Strategy
Indonesia National Cyber Security StrategyIndonesia National Cyber Security Strategy
Indonesia National Cyber Security Strategy
 
Resume of ID-IGF National Dialogue 2014
Resume of ID-IGF National Dialogue 2014Resume of ID-IGF National Dialogue 2014
Resume of ID-IGF National Dialogue 2014
 
COMMON GOOD DIGITAL FRAMEWORK
COMMON GOOD DIGITAL FRAMEWORKCOMMON GOOD DIGITAL FRAMEWORK
COMMON GOOD DIGITAL FRAMEWORK
 
Net Neutrality Capacity Building Seminar
Net Neutrality Capacity Building SeminarNet Neutrality Capacity Building Seminar
Net Neutrality Capacity Building Seminar
 
Governance & Ediscovery
Governance & EdiscoveryGovernance & Ediscovery
Governance & Ediscovery
 
Hacking3e ppt ch04
Hacking3e ppt ch04Hacking3e ppt ch04
Hacking3e ppt ch04
 
Review of Previous ETAP Forums - Deepak Maheshwari
Review of Previous ETAP Forums - Deepak MaheshwariReview of Previous ETAP Forums - Deepak Maheshwari
Review of Previous ETAP Forums - Deepak Maheshwari
 
Managing social software applications in the corporate and public sector envi...
Managing social software applications in the corporate and public sector envi...Managing social software applications in the corporate and public sector envi...
Managing social software applications in the corporate and public sector envi...
 
Introduction to IETF and Standardisation Process
Introduction to IETF and Standardisation ProcessIntroduction to IETF and Standardisation Process
Introduction to IETF and Standardisation Process
 
CTO Cybersecurity Forum 2013 Mario Maniewicz
CTO Cybersecurity Forum 2013 Mario ManiewiczCTO Cybersecurity Forum 2013 Mario Maniewicz
CTO Cybersecurity Forum 2013 Mario Maniewicz
 
wp-us-cities-exposed
wp-us-cities-exposedwp-us-cities-exposed
wp-us-cities-exposed
 
Major Essay_ US-China Relations_FINAL
Major Essay_ US-China Relations_FINALMajor Essay_ US-China Relations_FINAL
Major Essay_ US-China Relations_FINAL
 
BlockChain_Brochure
BlockChain_BrochureBlockChain_Brochure
BlockChain_Brochure
 
Through a Router Darkly - Remote Investigation of Internet Censorship
Through a Router Darkly - Remote Investigation of Internet CensorshipThrough a Router Darkly - Remote Investigation of Internet Censorship
Through a Router Darkly - Remote Investigation of Internet Censorship
 
Chapter 3.docx
Chapter 3.docxChapter 3.docx
Chapter 3.docx
 
ION Hangzhou - About IETF
ION Hangzhou - About IETFION Hangzhou - About IETF
ION Hangzhou - About IETF
 

Semelhante a Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for critical internet resources security in the sadc region

Blockchain final 25112015 v1.1
Blockchain final 25112015 v1.1Blockchain final 25112015 v1.1
Blockchain final 25112015 v1.1Andrew Coakley
 
RefugeeDo -A Hand to the Deserving.
RefugeeDo -A Hand to the Deserving.RefugeeDo -A Hand to the Deserving.
RefugeeDo -A Hand to the Deserving.IRJET Journal
 
Backgrounder wtpf-13-ixps-en
Backgrounder wtpf-13-ixps-enBackgrounder wtpf-13-ixps-en
Backgrounder wtpf-13-ixps-enMeshingo Jack
 
EU Blockchain/DLT standardisation workshop - Strategic Plan 21st October 2017
EU Blockchain/DLT standardisation workshop - Strategic Plan 21st October 2017EU Blockchain/DLT standardisation workshop - Strategic Plan 21st October 2017
EU Blockchain/DLT standardisation workshop - Strategic Plan 21st October 2017Gilbert Verdian
 
Session 2 ure_changingrules_final
Session 2 ure_changingrules_finalSession 2 ure_changingrules_final
Session 2 ure_changingrules_finalTRPC Pte Ltd
 
The Impact of Data Sovereignty on Cloud Computing in Asia 2013
The Impact of Data Sovereignty on Cloud Computing in Asia 2013The Impact of Data Sovereignty on Cloud Computing in Asia 2013
The Impact of Data Sovereignty on Cloud Computing in Asia 2013FairTechInstitute
 
The Impact of Data Sovereignty on Cloud Computing in Asia 2013 by the Asia Cl...
The Impact of Data Sovereignty on Cloud Computing in Asia 2013 by the Asia Cl...The Impact of Data Sovereignty on Cloud Computing in Asia 2013 by the Asia Cl...
The Impact of Data Sovereignty on Cloud Computing in Asia 2013 by the Asia Cl...accacloud
 
Jan 2017 Submission to AG Re: Metadata use in civil proceedings
Jan 2017 Submission to AG Re: Metadata use in civil proceedingsJan 2017 Submission to AG Re: Metadata use in civil proceedings
Jan 2017 Submission to AG Re: Metadata use in civil proceedingsTimothy Holborn
 
Internet nature
Internet natureInternet nature
Internet natureaabb321
 
National_Cyber_Security_Strategy.pdf
National_Cyber_Security_Strategy.pdfNational_Cyber_Security_Strategy.pdf
National_Cyber_Security_Strategy.pdfAlexandre Pinheiro
 
Blockchain based News Application to combat Fake news
Blockchain based News Application to combat Fake newsBlockchain based News Application to combat Fake news
Blockchain based News Application to combat Fake newsIRJET Journal
 
The Internet of Things: An Overview (IoT) ISOC SFO Chapter INET
The Internet of Things: An Overview (IoT) ISOC SFO Chapter INETThe Internet of Things: An Overview (IoT) ISOC SFO Chapter INET
The Internet of Things: An Overview (IoT) ISOC SFO Chapter INETKaren Rose
 
Sail regulation governance 101018
Sail regulation governance 101018Sail regulation governance 101018
Sail regulation governance 101018SAIL
 
Standard Protocols for Heterogeneous P2P Vehicular Networks
Standard Protocols for Heterogeneous P2P Vehicular NetworksStandard Protocols for Heterogeneous P2P Vehicular Networks
Standard Protocols for Heterogeneous P2P Vehicular Networksijtsrd
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAGovCloud Network
 
Cloud Forensics: Drawbacks in Current Methodologies and Proposed Solution
Cloud Forensics: Drawbacks in Current Methodologies and Proposed SolutionCloud Forensics: Drawbacks in Current Methodologies and Proposed Solution
Cloud Forensics: Drawbacks in Current Methodologies and Proposed SolutionIJERA Editor
 
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115James Bryce Clark
 
Nov 2013 Whos who International article
Nov 2013 Whos who International articleNov 2013 Whos who International article
Nov 2013 Whos who International articleCarl Frank
 

Semelhante a Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for critical internet resources security in the sadc region (20)

Blockchain final 25112015 v1.1
Blockchain final 25112015 v1.1Blockchain final 25112015 v1.1
Blockchain final 25112015 v1.1
 
RefugeeDo -A Hand to the Deserving.
RefugeeDo -A Hand to the Deserving.RefugeeDo -A Hand to the Deserving.
RefugeeDo -A Hand to the Deserving.
 
V5I6-0559
V5I6-0559V5I6-0559
V5I6-0559
 
Backgrounder wtpf-13-ixps-en
Backgrounder wtpf-13-ixps-enBackgrounder wtpf-13-ixps-en
Backgrounder wtpf-13-ixps-en
 
EU Blockchain/DLT standardisation workshop - Strategic Plan 21st October 2017
EU Blockchain/DLT standardisation workshop - Strategic Plan 21st October 2017EU Blockchain/DLT standardisation workshop - Strategic Plan 21st October 2017
EU Blockchain/DLT standardisation workshop - Strategic Plan 21st October 2017
 
Session 2 ure_changingrules_final
Session 2 ure_changingrules_finalSession 2 ure_changingrules_final
Session 2 ure_changingrules_final
 
The Impact of Data Sovereignty on Cloud Computing in Asia 2013
The Impact of Data Sovereignty on Cloud Computing in Asia 2013The Impact of Data Sovereignty on Cloud Computing in Asia 2013
The Impact of Data Sovereignty on Cloud Computing in Asia 2013
 
The Impact of Data Sovereignty on Cloud Computing in Asia 2013 by the Asia Cl...
The Impact of Data Sovereignty on Cloud Computing in Asia 2013 by the Asia Cl...The Impact of Data Sovereignty on Cloud Computing in Asia 2013 by the Asia Cl...
The Impact of Data Sovereignty on Cloud Computing in Asia 2013 by the Asia Cl...
 
Jan 2017 Submission to AG Re: Metadata use in civil proceedings
Jan 2017 Submission to AG Re: Metadata use in civil proceedingsJan 2017 Submission to AG Re: Metadata use in civil proceedings
Jan 2017 Submission to AG Re: Metadata use in civil proceedings
 
Internet nature
Internet natureInternet nature
Internet nature
 
NIS.docx
NIS.docxNIS.docx
NIS.docx
 
National_Cyber_Security_Strategy.pdf
National_Cyber_Security_Strategy.pdfNational_Cyber_Security_Strategy.pdf
National_Cyber_Security_Strategy.pdf
 
Blockchain based News Application to combat Fake news
Blockchain based News Application to combat Fake newsBlockchain based News Application to combat Fake news
Blockchain based News Application to combat Fake news
 
The Internet of Things: An Overview (IoT) ISOC SFO Chapter INET
The Internet of Things: An Overview (IoT) ISOC SFO Chapter INETThe Internet of Things: An Overview (IoT) ISOC SFO Chapter INET
The Internet of Things: An Overview (IoT) ISOC SFO Chapter INET
 
Sail regulation governance 101018
Sail regulation governance 101018Sail regulation governance 101018
Sail regulation governance 101018
 
Standard Protocols for Heterogeneous P2P Vehicular Networks
Standard Protocols for Heterogeneous P2P Vehicular NetworksStandard Protocols for Heterogeneous P2P Vehicular Networks
Standard Protocols for Heterogeneous P2P Vehicular Networks
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
 
Cloud Forensics: Drawbacks in Current Methodologies and Proposed Solution
Cloud Forensics: Drawbacks in Current Methodologies and Proposed SolutionCloud Forensics: Drawbacks in Current Methodologies and Proposed Solution
Cloud Forensics: Drawbacks in Current Methodologies and Proposed Solution
 
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115
Rutkowski OASIS CTI F2F Cybersecurity Act Preso 20160115
 
Nov 2013 Whos who International article
Nov 2013 Whos who International articleNov 2013 Whos who International article
Nov 2013 Whos who International article
 

Mais de Cade Zvavanjanja

Cade zvavanjanja saigf cybercrime & security online
Cade zvavanjanja saigf cybercrime & security onlineCade zvavanjanja saigf cybercrime & security online
Cade zvavanjanja saigf cybercrime & security onlineCade Zvavanjanja
 
Cade zvavanjanja iot afigf online
Cade zvavanjanja iot afigf onlineCade zvavanjanja iot afigf online
Cade zvavanjanja iot afigf onlineCade Zvavanjanja
 
Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1Cade Zvavanjanja
 
A case for multi-stakeholder cybersecurity by zvavanjanja
A case for multi-stakeholder cybersecurity by zvavanjanjaA case for multi-stakeholder cybersecurity by zvavanjanja
A case for multi-stakeholder cybersecurity by zvavanjanjaCade Zvavanjanja
 
Cloud computing & service level agreements
Cloud computing & service level agreementsCloud computing & service level agreements
Cloud computing & service level agreementsCade Zvavanjanja
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresCade Zvavanjanja
 
Introduction to IT Security
Introduction to IT SecurityIntroduction to IT Security
Introduction to IT SecurityCade Zvavanjanja
 
Gainful Information Security 2012 services
Gainful Information Security 2012 servicesGainful Information Security 2012 services
Gainful Information Security 2012 servicesCade Zvavanjanja
 

Mais de Cade Zvavanjanja (10)

Cade zvavanjanja saigf cybercrime & security online
Cade zvavanjanja saigf cybercrime & security onlineCade zvavanjanja saigf cybercrime & security online
Cade zvavanjanja saigf cybercrime & security online
 
Cade zvavanjanja iot afigf online
Cade zvavanjanja iot afigf onlineCade zvavanjanja iot afigf online
Cade zvavanjanja iot afigf online
 
comesa cybersecurity
comesa cybersecuritycomesa cybersecurity
comesa cybersecurity
 
Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1Cyber Security 2016 Cade Zvavanjanja1
Cyber Security 2016 Cade Zvavanjanja1
 
A case for multi-stakeholder cybersecurity by zvavanjanja
A case for multi-stakeholder cybersecurity by zvavanjanjaA case for multi-stakeholder cybersecurity by zvavanjanja
A case for multi-stakeholder cybersecurity by zvavanjanja
 
Cloud computing & service level agreements
Cloud computing & service level agreementsCloud computing & service level agreements
Cloud computing & service level agreements
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasures
 
Introduction to IT Security
Introduction to IT SecurityIntroduction to IT Security
Introduction to IT Security
 
Gainful Information Security 2012 services
Gainful Information Security 2012 servicesGainful Information Security 2012 services
Gainful Information Security 2012 services
 
Top online frauds 2010
Top online frauds 2010Top online frauds 2010
Top online frauds 2010
 

Último

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 

Último (20)

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 

Saigf 15 thematic-paper 7 - A case for multi-stakeholder partnerships for critical internet resources security in the sadc region

  • 1. 1 | P a g e Southern African Internet Governance Forum 2015 (SAIGF-15) Thematic Paper No. 7 “A Case for Multi-stakeholder partnerships for critical Internet resources security in the SADC Region” Produced by: Southern African Development Community (SADC) Secretariat Prepared by: Mr. Cade Zvavanjanja Table of Contents 1. Abstract...........................................................................................................................................2 2. Introduction ....................................................................................................................................2 3. Background of CIRs .........................................................................................................................3 4. Current CIR Global Security Model .................................................................................................4 4.1 From Table 1: The following observations can be made:.............................................................7 4.2 Current Needs for CIRS in SADC: Interpretation of the observations from Table 1: ..............7 5. Target Stakeholders Analysis ..........................................................................................................8 6. A Multi-stakeholder Partnership Model.......................................................................................11 7. Limits, Risks and Side Effects of Multi-stakeholder Partnerships.................................................12 8. Lessons Learnt...............................................................................................................................13 9. Conclusion.....................................................................................................................................13 10. Internet References (Links) for Further Reading ......................................................................14
  • 2. 2 | P a g e 1. Abstract With much of SADC‟s Member State‟s critical Internet resources being in the hands of both private and public sector, it seems a natural solution for industry, Government, civic society and private citizens to work together in ensuring it is both secure and resilient. This cooperation in the form of Multi-stakeholder Partnerships (MPs) is needed in and among Member States and at different times, depending on the environment, culture and legal framework. There is no common definition of what constitutes a MP addressing this area. Diversity is strength when making networks and systems resilient, yet there also exist a need for interworking and a common understanding, especially when making a case for SADC view. There is also a need for a global view as there is a growing awareness for a truly global approach to Critical Internet resources security (CIRS). No country can create a CIRS approach in isolation, as there are no national boundaries on the Internet. The paper makes a case for MPs for CIRS in SADC while addressing the Why, Who, How, What and When questions associated with establishing and maintaining MPs for CIRS in SADC. It uses data from both public and private sector stakeholders across 14 SADC countries. This is not a prescriptive guide, but has a focus on clarity of purpose and approach so that stakeholders can easily choose those aspects that will add value to their endeavours in establishing and maintaining MPs. KEY WORD: Critical Internet Resources, Internet Governance, Multi-stakeholder, Security, Resilience, SADC, Partnerships. 2. Introduction Since the inception of the World Summit on the Information Society (WSIS) in 2003, the debate over “governance” of “critical Internet resources” (CIR) has escalated. Although WSIS produced a consensus agreement that did not call for major changes to the structure of international Internet governance, criticism of the current arrangements has continued, and governance of CIR was a central theme of the Rio Internet Governance Forum (IGF) 2015. The issue of CIR has also been of interest in the SADC region. With much of SADC‟s Member State‟s critical Internet resources being in the hands of both private and public sector, it seems a natural solution for industry, Government and civic society to work together in ensuring it is both secure and resilient. This cooperation in the form of Multi-stakeholder Partnerships (MPs) has evolved in many Member States and at different times, depending on the environment, culture and legal framework. Securing the Critical Internet Resources is an on-going challenge for operators that require collaboration across administrative boundaries. A lot of attention has been given in recent years to securing the Domain Name System through a technology called DNSSEC1 and Resource Public Key Infrastructure RPKI2 . However, in the last couple of years, the attention has shifted to the security of the Internet routing system and the best practices adopted by network operators around the globe in this 1 http://www.Internetsociety.org/deploy360/wp-content/uploads/2015/06/cctlddnssec-2015-06-19.pdf 2 https://www.arin.net/resources/rpki/
  • 3. 3 | P a g e area. The main questions these efforts are trying to answer are: is your network authorised to use resources such as IP addresses? Do my packets travel through the advertised path or are diverted on their way? These problem statements may sound too technical for the audience but in reality they can quickly be converted in real business impact. Unauthorised claiming of network resources are proven to cause downtime not only for one web server but to complete networks3 . Particularly, imagine a phishing attack where the IP address, the domain name and the TLS certificate are legitimate but you just interacting with the wrong network. The hijack of IP addresses is normally due to bad operational practices (basically miss- configurations that leak to the global Internet) but it is also suspicious of playing a role in SPAM and other sensitive areas in security4 . The paper makes a case for MPs in SADC while addressing the Why, Who, How, What and When questions associated with creating and maintaining MPs for CIRS in SADC .The paper starts with a section on understanding the problems, which the MP aims to address. To help the reader, a list of problems which existing MPs have addressed is provided when answering the „why‟ question. This then leads onto the identified Good Practice observed in addressing these problems. The paper highlights recommendations, observations and, where appropriate. The papers analysis shows that despite the large number and apparent diversity, there are three main approaches taken by MPs in addressing the problems of security and resilience of CIRs. These have been termed Prevention Focused MPs, Response Focused MPs and Umbrella MPs, which will be discussed in the paper. 3. Background of CIRs Part of the outcome of the second phase of the WSIS, Internet Governance was defined in paragraph 34 of the Tunis Agenda as: “the development and application by Governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet.” Within this definition, Critical Internet Resources (CIRs) was referenced in paragraph 58 of the Tunis Agenda: “We recognise that Internet governance includes more than Internet naming and addressing. It also includes other significant public policy issues such as, inter alia, critical Internet resources, the security and safety of the Internet, and developmental aspects and issues pertaining to the use of the Internet.”5 In the view of The Center for Democracy & Technology (CTD)6 , the following can be considered critical to achieving the vision of a widely accessible, affordable, open, and user controlled Internet: • Sufficient IP addressing numbers; • Affordable, easily obtained domain names o Including IDN - domain names in non-Latin characters; • Reliable root name servers; • Stable but extensible protocols and standards; 3 http://blogs.cisco.com/sp/securing-critical-Internet-infrastructure-an-rpki-case-study-in-ecuador 4 https://www.ripe.net/publications/news/industry-developments/youtube-hijacking-a-ripe-ncc-ris-case-study 5 http://www.itu.int/en/ITU-T/ipv6/Pages/wsisdocs.aspx 6 https://cdt.org/blog/speak-up-on-the-iana-transition-and-icann-accountability/
  • 4. 4 | P a g e • Bandwidth of Backbone; • Accessible IXP services o Last mile (PSTN, Cable, Wireless, BOP); • Policies supporting trust o Privacy o Security o Freedom of expression o Anti-fraud, anti-crime • Affordable end-point access devices (hardware – computers but also mobile phones) o Includes public access points; • Know how – human capacity; and • Electricity. This broad list covers factors ranging from those that are unique to the Internet (IP addresses) to those that are not (privacy laws and electricity). It also ranges from those that are global in nature (domain names) to those that are largely local in nature (electricity). Others share global and local aspects (anti-fraud). But it should be apparent that where one stands on the definition of what is a “critical” Internet resource depends to a large degree on where one lives (geographically). To many in SADC, bandwidth and electrical power, while neither unique to the Internet nor globally regulated, are critical, overshadowing concerns about, for example, new top level domain names. Defining CIR broadly runs the risk of diluting and confusing the discussion over Internet governance and development. On the other hand, defining CIR as narrowly confined to IP addresses and domain names could divert attention from the key barriers to Internet development in many countries, including still-monopolized communications infrastructures, burdensome licensing schemes, out-dated regulatory systems, limits on spectrum use, and repression of speech, as well as more mundane concerns like hardware and electricity. Moreover, defining CIR as IP addresses and domain names could lead to the misimpression that ICANN7 and the addressing registries are the sole repositories of Internet governance and bear the responsibility for addressing the full range of barriers to Internet development. 4. Current CIR Global Security Model Since its inception, the Internet has been governed. This governance has been exercised by users, who choose and create content to a degree not possible in traditional media; by corporations, though peering agreements and other contractual arrangements for exchange of traffic; by national Governments through their state owned or regulated communications infrastructures; by international treaty organizations like the WTO, which regulates various aspects of trade in communications services, and WIPO, which sets rules for intellectual property; and by non-Governmental standards bodies that develop the protocols and other technical standards, which often embody policy choices affecting individual interests. One way to map Internet governance is as follows, using axes representing the degree of Governmental involvement and the spectrum between individual choices and international institutions8 : Diagram 1: Internet Governance Map: 7 ibid 8 https://cdt.org/files/pdfs/20071114Internet%20gov.pdf
  • 5. 5 | P a g e Adapted from: The Center for Democracy & Technology9 Looking at the critical Internet resources identified above, we see a range of governance bodies: • Addressing numbers – IANA and RIRs; • Domain names – ICANN, TLD registries, including ccTLD registries; • Protocols – IETF, W3C; • Standards – ITU, national standards agencies; • Bandwidth – national Governments; • Exception backbone – largely private contract; • Policies supporting trust – national Governments o International norms – EU, OECD, APEC; • Access devices – national Governments; and • Electricity– national Governments. What is notable about this list is that some of the critical Internet resources currently posing the greatest barriers to Internet development, such as bandwidth, are governed by national Governments, while some of the most successful forms of Internet governance, such as the development and maintenance of the TCP/IP suite of protocols, are exercised by a non-Governmental, unregulated, voluntary entity.10 9 ibid 10 https://cdt.org/files/pdfs/20071114Internet%20gov.pdf
  • 6. 6 | P a g e 5. SADC MEMBER STATES CIRS STATUS QUO: Table 1: An analysis of selected 9 components of CIRS in SADC state Country National CIRT.11 Cyber security standards.12 Certificati on.13 Policy14 Governance roadmap15 Responsible agency 16 Criminal legislation17 Regulation 18 benchmarki ng 19 Angola No No No No No No Yes Yes No Botswana No No No No No Yes Yes Yes No DRC No No No No No No No No No Lesotho No No No No No Yes No No No Madagascar No No No No No No Yes No No Malawi No No No Yes No Yes Yes (Bill) No No Mauritius Yes Yes Yes Yes Yes Yes Yes Yes Yes Mozambique No No No No No No No Yes No Namibia No No No No No No Yes No No Seychelles No No No No No No Yes Yes No SA Yes Yes No Yes Yes Yes Yes No No. Swaziland No No No No No Yes No No No Tanzania Yes Yes No No No No Yes Yes No Zambia Yes No No Yes No No Yes Yes No Zimbabwe No No No (draft) No (draft) No (draft) Yes Yes Yes (Bills) No Data Adapted From: ITU (2015) Cyber security index & cyberwellness profiles cyber security 11 Officially recognized national CERT 12 Officially recognized national (and sector specific) cyber security frameworks for implementing internationally recognized cyber security standards. 13 Officially approved national (and sector specific) cyber security frameworks for the certification and accreditation of national agencies and public sector professionals 14 officially recognized national cyber security strategy (Policy) 15 National governance roadmap for cyber security 16 Responsible agency for cyber security 17 Criminal legislation for cybercrime 18 Officially recognized regulation and compliance requirement pertaining to cyber security. 19 Officially recognized national or sector-specific benchmarking exercises or referential used to measure cyber security development.
  • 7. 7 | P a g e 4.1 From Table 1: The following observations can be made: • Eleven (11) out of fifteen (15) Member States have no CERT; • Only two (2) out of fifteen (15) Member States have an officially recognized national (and sector specific) cyber security frameworks for implementing internationally recognized cyber security standards; • Only one (1) out of fifteen (15) Member States has an officially approved national (and sector specific) cyber security frameworks for the certification and accreditation of national agencies and public sector professionals; • Eleven (11) out of fifteen (15) Member States have no officially recognized national cyber security strategy; • Two (2) out of fifteen (15) Member States have a national governance roadmap for cyber security; • Half of the Member States have no official agency responsible for cyber security; • Eleven (11) out of fifteen (15) Member States have Criminal legislation for cybercrime; • Eight (8) of fifteen (15) Member States have an officially recognized regulation and compliance requirement pertaining to cyber security; • Only one (1) Member State has an officially recognized national or sector- specific benchmarking exercises or referential used to measure cyber security development; and • Mauritius is the only country with all the nine components in place. 4.2 Current Needs for CIRS in SADC: Interpretation of the observations from Table 1: • SADC is currently challenged and has limited institutional, technical and legal measures to effectively secure CIR; • There is need of a new holistic approach among SADC Member States to deal with CIRS; • There is need of Legal measures which allow a nation state to set down the basic response mechanisms to breach: through investigation and prosecution of crimes and the imposition of sanctions for non-compliance or breach of law; • The urgent need for establishment of a national CIRT (Computer Incident Response Team), CERT (Computer Emergency Response Team) or CSIRT (Computer Security incident Response Team) which provides the capabilities to identify, defend, respond and manage cyber threats and enhance cyberspace security in the nation state; • The need for development of a policy to promote cyber security to be recognized as a top priority. A national strategy for Security of Network and Information Systems should maintain resilient and reliable information infrastructure and aim to ensure the safety of citizens; protect the material and intellectual assets of citizens, organizations and the State; prevent cyber- attacks against critical infrastructures; and minimize damage and recovery times from cyber-attacks; • A roadmap for governance in cyber security is needed which is generally established by a national strategy /policy for cyber security, and identifies key stakeholders. The development of a national policy framework is a top priority in developing high-level governance for cyber security. The national policy
  • 8. 8 | P a g e framework must take into account the needs of national critical information infrastructure protection. It should also seek to foster information-sharing within the public sector, and also between the public and private sectors; • A responsible agency for implementing a national cyber security strategy/policy can include permanent committees, official working groups, advisory councils or cross-disciplinary centers are needed in SADC. Most national agencies will be directly responsible for watch and warning systems and incident response, and for the development of organizational structures needed for coordinating responses to cyber-attacks; and • There is need of an officially recognized national or sector-specific benchmarking exercises or referential used to measure cyber security development. For example, based on ISO/IEC 27002- 2005, a national cyber security standard (NCSec Referential) can help nation states respond to specify cyber security requirements. This referential is split into five domains: NCSec Strategy and Policies; NCSec Organizational Structures; NCSec Implementation; National Coordination; Cyber security Awareness Activities. 5. Target Stakeholders Analysis Together, Government and industry can develop a common understanding of their respective roles and responsibilities related to CIRS. The Government can provide coordination and leadership of protection efforts. For example, continuity of Government requires ensuring the security and availability of Governments‟ cyber and physical infrastructure necessary to support its essential missions and services. In addition, the Government can play a key coordinating role during a catastrophic event or it can help in instances when industry lacks sufficient resources to respond to an incident. The Government can promote and encourage voluntary private sector efforts to improve security, including establishing the policies and protocol needed to share timely analytical and useable information about threats, and providing incentives for industry to enhance security beyond what their corporate interests demand. Finally, the Government can sponsor and fund studies and research and development to improve security processes and tools. A fundamental element of successful collaboration between Government and industry is trust. Trust is necessary for establishing, developing, and maintaining sharing relationships between Government and industry. Robust collaboration and information exchange between industry and Government enhances situational awareness, facilitates cooperation on strategic issues, helps manage cyber risk and supports response and recovery activities. Through improved information sharing and analysis, the Government and industry will be better equipped to identify threats and vulnerabilities, and to exchange mitigating and preventive tactics and resources. The table below gives a breakdown of some interests, capabilities and limitation of key target stakeholders:
  • 9. 9 | P a g e Table 2: CIRS STAKEHOLDER ANALYSIS20 Stakeholder Group Interest Capabilities Limitations Government in role of regulator Want reliability and protection to ensure critical Internet resources protection Depends on the integrity and protection of Internet transactions to protect the privacy of citizens and economic wellbeing of the country Can provide a necessary legal enforcement role for cyber security Can also provide a platform for international action and outreach Can provide incentives to encourage greater participation in CIRS Have difficulty coordinating response across large bodies Have fractured and diffuse authority Are hindered in ability to share information by classification processes. Security provision may conflict in some cases with privacy concerns Telecommunications companies, hardware and software provides, Internet service providers Want to deliver services and protect the privacy of customers Want to be reliable suppliers; optimal performance is just as important as permanent availlability, pehaps more so Must be assured that regulation will not stiffle development and disdvantage them ion econmomic compertation Have specialised technicians able to identify abnormal activity quickly Are well- positioned to block “downstream” attacks Are well-placed to distribute security software to their customers and enforce standards through connection agreement with subscribers Are reticent to involve themselves too deeply in security info- sharing due to privacy and liability issues Would likely be unwilling to incur higher costs for security 20 ENISA (2011) Cooperative Models for Effective Public Private Partnerships Desktop Research Report
  • 10. 10 | P a g e Users: Large corporations, small businesses, individuals, Government and private organisations and academia Individuals Want accessibility on demand Need greater protection of personally identifiable information and personal computers Are suspicious of Government role on the Internet and would require strict rules and strong oversight for regulators Have large number of personal machines that could possibly be used to voluntarily collect and distribute information regarding potential or actual attacks Are often unaware of Cyber security risks Are untrained and unaccustomed to guarding against attacks Government Depends on availability of the Internet to provide public services, communicate, store and access vast amounts of information to support national security operations Have large networks that may be already tracked for threat information, a useful dataset for threat analysis Adopt newer, safer technology slowly Does not coordinate response well Business ( Small businesses fall in closer with individual users) Want accessibility on demand Have strong interest in secure networks to advance e- business and safeguard communications and protect proprietary and competitive data. Must be assured regulation will not adversely affect business and innovation Often have sophisticated security organisations or contract out security providers Share information through industry trade associations, standards organisations and Government liaisons Participate in development of standards Adopt new technology and practices more slowly as the size of the institution increases. Have limited participation in info sharing due to privacy and liability concerns
  • 11. 11 | P a g e 6. A Multi-stakeholder Partnership Model Since the nation‟s cyber infrastructure is not Government owned, a partnership of Government, corporate and private stakeholders is required to secure the Internet. Achieving a satisfactory level of CIRS is not an easy task, but the experience accumulated by several successful initiatives demonstrates that, in order to be effective, any CIRS initiative needs to involve several stakeholders. More than that, the reality is that more often than not, the security measures need to be taken by systems administrators, network operators or security professionals in their own networks. However, cooperation with others is key to be able to understand the threats and better evaluate the effectiveness of their actions. A multi-stakeholder process must have the following characteristics:  Involvement of stakeholders in the learning process;  Stakeholders work towards a common goal;  Work involves different sectors and scale;  The objective is focused to bring about change;  Deal with structural changes;  Agreements are created based on cooperation;  Stakeholders deal with power and conflict consciously; and  Bottom-up and top-down strategies are integrated in governance and policy making. While a CIRS partnership is different from others in several key ways, the traditional models have value in defining effective partnership practices. An effective partnership has: a. A representative group of members, large enough to be sufficiently inclusive, but small enough to retain the ability to act quickly; b. A circumscribed role for Government with specific tasks and responsibilities laid out clearly. Industry and private groups should take the lead; and c. Properly motivated members with significant interest and stakes connected to the problem. An effective MP for CIRS would provide the abilities to detect threats and dangerous or anomalous behaviours, to create more secure network environments through better, standardized security programs and protocols and to respond with warnings or technical fixes as needed. Here are some examples:  Utilize a trust model; the scope of the working group needs to be a manageable size to be effective and include those directly affected, and yet large enough to include a broader universe of those impacted;  Incorporate a consensus model without hierarchy to allow the group to adapt and respond to fast changing conditions;  Gain the participation and support of key governing and regulatory bodies; and  Formalize communications with stakeholder groups vs. relying on social networks. These four points bring to light issues like the rapid change of the threat landscape, the need for rapid communication, the involvement and support of Governments and the fact that several stakeholders need to cooperate.
  • 12. 12 | P a g e Network Operator Groups (NOGs) and Regional Internet Registries (RIRs) should be more involved with security issues. There are some areas like routing security (and newly proposed protocols like RPKI or SBGP) or DNSSEC that need worldwide adoption to be effective. RIRs could also work more closely with the CERTs community to improve the WHOIS system to help the incident handling process. Software vendors need to become involved and be more pro-active; after all, most of the security problems we face today are software-related problems. The real challenge is to improve software security and get the software industry to a more mature level. The Governments, including military and intelligence sectors, in addition to traditional security and defense strategies, need to improve their awareness of the multi- stakeholder nature of the Internet and the vital importance of the cooperation to address security threats. They need to participate more in the national and international security forums and improve cooperation with other stakeholder 7. Limits, Risks and Side Effects of Multi-stakeholder Partnerships The basic problem is that assessments of the advantages of multi-stakeholder partnerships are for the most part not based on empirical research, and the widely- held notion that there is no alternative is often no more than a profession of faith. Multi-stakeholder partnerships in fact bring a number of risks and side effects with them for the national Governments and the stakeholders involved, which must be considered in any careful analysis of the approach21 :  Growing influence of the business sector in the political discourse and agenda setting. Critics fear that partnership initiatives allow transnational corporations and their interest groups growing influence over agenda setting and political decision-making by Governments;  Risks to reputation: choosing the wrong partner;  Distorting competition and the pretence of representativeness. These partnerships can distort competition, because they provide the corporations involved with an image advantage, and also support those involved in opening up markets and help them gain access to Governments. The selection of partners is also problematic in many multi-stakeholder initiatives. Often, the initiator of a partnerships rather than respective stakeholder groups nominates representatives to the partnership bodies;  Proliferation of partnership initiatives and fragmentation of global governance. The explosive growth in partnerships can lead to isolated solutions, which are poorly coordinated, contributes to the institutional weakening of SADC and its specialised agencies, and hinders comprehensive development strategies;  Unstable financing – a threat to the sufficient provision of public goods. The provision of public goods becomes increasingly privatised, it will become dependent on voluntary and ultimately unpredictable channels of financing through benevolent individuals; 21 Jens Martens (2007) Multi-stakeholder Partnerships – Future Models of Multilateralism
  • 13. 13 | P a g e  Dubious complementarity – Governments escape responsibility. Instead of considering partnership initiatives as complementary to inter-Governmental processes, they are often promoted as replacements of inter-Governmental agreements.  Selectivity in partnerships – governance gaps remain. Partnerships only develop selectively and concentrate on problems in which technical solutions lead to relatively quick wins (vaccination programmes, promoting renewable energy systems). Long-term structural problems such as building up a health system or overcoming gender inequality are only peripherally touched; and  Trends toward elite models of global governance - weakening of representative democracy. Inasmuch as partnerships give all participating actors equal rights, the special political and legal position occupied legitimately by public bodies (Governments and parliaments) is side-lined. 8. Lessons Learnt As stated before, achieving a satisfactory level of CIRS is not an easy task, and the multi-stakeholder initiatives previously discussed are good examples of frameworks that can effectively deal with cyber security current and emerging issues. Therefore, it is recommended that all SADC national and international organizations involved with CIR, for instance, Local Governments, RIRs, Africa Union, United Nations, ISOC Chapters, AFRINIC, among others, should take the following into consideration:  The experience accumulated by the several successful initiatives described in this contribution demonstrates that, in order to be effective, any CIRS initiative depends on cooperation among different stakeholders, and it can't be achieved via a single organization or structure;  There are stakeholders that still need to become more involved, like network operators and software developers;  Governments, including military and intelligence sectors, in addition to traditional security and defense strategies, need to improve their awareness of the multi-stakeholder nature of the Internet and the vital importance of cooperation to address security threats. They need to participate more in the national and international security forums and improve cooperation with other stakeholders; and  There is room and a need for new forums and initiatives, but they should not replace existing structures. Any new initiative should aim at leveraging and improving the multi-stakeholder structures already in place today. 9. Conclusion MPs which address security and resilience have evolved in many countries as an efficient means of protecting their CIRs. Each sector, public and private, brings its own, complementary strengths to the table, but such structures come with challenges in their formation, management, and effectiveness. The paper has provided a case for MPs in SADC. This paper sets out the principles, which underpin MPs and considers the range of partnership options available. It also describes some of the ways in which they can be used, and advises on the issues, which need
  • 14. 14 | P a g e to be addressed when implementing them. These should be of assistance to those setting up or evolving similar partnership arrangements and help optimise the chances of success. In addition, the common understanding portrayed in this Guide will lead to further opportunities for inter-working and collaboration.22 10. Internet References (Links) for Further Reading (Disclaimer: In as much as care has been taken to verify and check the links below, The author nor the sponsors of this paper, nor the host of the event, do not take an responsibility of the links provided below as they belong to independent entities, hence we recommend further care to be taken and also note that you will follow them at your own decision and risk)  http://www.osisa.org/sites/default/files/security_sector.pdf  https://www.itu.int/en/ITUD/Cybersecurity/Documents/SADC%20Model%20La w%20Cybercrime.pdf  https://web.nsrc.org/workshops/2015/pacnog17-ws/raw- attachment/wiki/Track3Agenda/DNS-ccTLD-1.pdf  http://www.gov.bw/Global/MTC/ICTPitso/Day1/Cybersecurity%20overview%2 0-%20Presentation.pdf  http://surface.syr.edu/it_etd/65/  https://www.intgovforum.org/cms/Rio_Meeting/IGF2- Critical%20Internet%20Resources-12NOV07.txt  http://css.escwa.org.lb/ictd/1301/5.pdf  http://friendsoftheigf.org/session/69  http://friendsoftheigf.org/session/73  https://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure  https://www.arin.net/resources/rpki/  http://blogs.cisco.com/sp/securing-critical-Internet-infrastructure-an-rpki-case- study-in-ecuador  http://blogs.cisco.com/perspectives/securing-critical-Internet-infrastructure-a- rpki-case-study-in-ecuador  https://www.ripe.net/publications/news/industry-developments/youtube- hijacking-a-ripe-ncc-ris-case-study  http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html  http://www.Internetsociety.org/deploy360/dnssec/?gclid=CPT40Laiw8kCFQke wwodvFAAhw  http://www.Internetsociety.org/deploy360/wp- content/uploads/2014/10/DNSSEC-Fact-Sheet-English-v1.pdf  http://stats.labs.apnic.net/dnssec  http://www.Internetsociety.org/deploy360/wp- content/uploads/2015/06/cctlddnssec-2015-06-19.pdf  http://stats.labs.apnic.net/ipv6  http://www.Internetsociety.org/deploy360/securing-bgp/statistics/  https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions  http://stats.labs.apnic.net/dnssec/XK?c=XK&x=1&g=1&r=1&w=1  https://www.isc.org/downloads/bind/dnssec/ 22 ENISA (2011) Cooperative Models for Effective Public Private Partnerships Desktop Research Report
  • 15. 15 | P a g e  https://ripe70.ripe.net/presentations/102-RIPE_2015.pdf  http://www.wired.com/images_blogs/threatlevel/files/nist_on_bgp_security.pdf  http://www.patrickmcdaniel.org/pubs/td-5ugj33.pdf  http://wsms1.intgovforum.org/content/no84-how-can-cooperation-and-multi- stakeholder-collaboration-impact-global-fight-against-cyb