Towards a Cybersecurity

1
Towards a Cybersecurity Roadmap for
IndonesiaRole of id-FIRST in coordinating
effective responseand stakeholder engagement
IT Network Security Seminar of SECURE-INDONESIA-
FIRST.or.id (id-FIRST) Jakarta, March 19, 2003

• By Idris F Sulaiman PhD
• USAID ICT Advisor /Economist
• State Ministry of Communications and Information
  and
• Partnership for Economic Development
• (USAID-Government of Indonesia) Project

The views expressed in this presentation are
those of the authors and not necessarily those of
USAID, the U.S. Government or the Government of
Indonesia.
2
Topics

• 1) Introduction
• Some lessons best learnt without experience
• Need for a comprehensive approach
• USAID, APECTEL various National Strategies
• 2) Building blocks of Cybersecurity Roadmap
• Legal Policy Framework
• Law Enforcement Agency (LEA) Capacity Building
• IT Security Teams and CERT Capacity Building
• Creation of IT Employment Opportunities,
  Facilitation of Secure Investment Climate and
  Risk Reduction Unemployment -- Cybercrime
  link? Hacker outreach -- work on IT
  development
• 3) Summing up

3
Heed Warnings! Some lessons are best learned
without the experience!

• CELL PHONE GAS PUMP
• A DANGEROUS COMBO !

4
Cell Phones Gasoline Do Not Mix !

• 3 incidents reported at gas stations
• While pumping fuel a car caught fire from fumes
• emitted from the tank a cell phone placed
  on
• the trunk of the car rang.
• A man got his face burnt while talking on the
• phone, when refuelling his car.
• A cell phone burnt a mans trousers - the phone
• in his pocket rang, while refuelling his car.

The key pad or ringer apparently, produces a
small electric spark .
Tragic ! Not Funny!! Laughing stock ex-post
Dont let it happen to you!
5
These incidents could be avoided.

• Keep your cell phone switched off at gas
  stations.
• If expecting an urgent call and phone cannot be
• switched off - KEEP IT IN THE CAR - Do not
  answer
• a cell phone when fuelling up.
• Reference HSE Warning from Society of
  Petroleum Engineers Dated 2nd November
  2001

Your cell phone could ignite a fire!
6
BETTER BE SAFE THAN SORRY !!
Be Cautious - Be Safe !!
7
USAID Indonesia approach
1. INTRO- DUCTION

• Get policy right first, telecom/Internet
  build-out will follow
• Framework used in ICT assessment of 20 countries
  see USAID Indonesia-ICT Assessment 2001
  (IIA2001) Report
• Policies (Telecom E-Commerce Regimes)
• Pipes (Infrastructure)
• Private Sector (Fostering Entrepreneurship and
  Removal of Impediments)
• People (E-leadership, HRD Applications
  Development)
• The 4 Ps is a comprehensive approach to ICT
  development
• a tool which can be used at global, national and
  local levels to prioritize development
  initiatives
• the interaction between them has the potential to
  create significant multiplier network effects
  (comprehensive approach).

8
USAID-PEG Projects ICT activities
2. On-going Work
Continue to facilitate the implementation of the
National ICT Action Plan (Indonesian Presidential
Executive Order, InPres No6/2001) (1)
E-Government Egov.Task Force, meeting
challenges of governance reform at national and
regional levels (2) Wartel, Warnet and
Tele-Center (Warnet ) development (3)
Improve ICT use by Small and Medium-sized
Businesses (4) Improve telecommunications
regulatory framework facilitate the
establishment of modern licensing, frequency
mgt, telecom independent regulatory body other
policy innovations adoption of e-Commerce and
Cyber laws, anti-monopoly enforct (5)
Cybersecurity Facilitate legal and technical
capacity building and other policies and
activities to promote cybersecurities
9
REGIONAL CYBERSECURITY EFFORT- APECTEL 26,
MOSCOW
2. LEGAL- ISSUES

• 26th Meeting of the Telecommunications and
  Information Working Group of the Asia Pacific
  Economic Cooperation (APEC)
• Members and observer economies
• Legal Workshop to Combat Cybercrime (Aug 17-18,
  2002) sponsored by US-Dept of Justice, US-State
  Dept USAID
• APECTELs sessions (Aug 19-23,02)
• European Electronic Standard Signatures
  Initiatives (EESSI) part of
• E-Security Task Group (ETG) part of
• Business Facilitation Steering Group (BFSG)
• Development Cooperation SG (DCSG)

10
Legal Framework to Counter Cyber Crime

• Aim for members to take steps towards
  harmonizing
• (1) substantive laws to deter criminal misuse of
  and attacks on computer networks
• (2) procedural laws to regulate government access
  to information in order to investigate and deter
  all sorts of crime facilitated by computer
  networks and
• (3) laws to assure effective international
  coordination
• International Framework used
• United Nations General Assembly (UNGA) Resolution
  55/63 Combating the Criminal Misuse of
  Information Technologies
• Council of Europe Cybercrime Convention (Nov.
  2001, signed by 30 countries including APEC
  members)
• APEC Cybersecurity Strategy proposals (adopted
  by the APECTEL26 Plenary Session)

11
APEC Cyber Security Strategy

• Comprehensive approach 5 initiatives, with
  action items - basis of the countrys efforts on
  cybercrime and critical infrastructure protection
  (eSecurity Task Group part of Business
  Facilitation Steering Group, APECTel 26, Moscow,
  Aug 19-23, 2002)
• Legal developments
• Information sharing and cooperation
• Security and technical guidelines
• Public awareness and education
• Wireless security
• Economic Security - Development Cooperation on
  job-creation to bridge the digital divide
  (Development Cooperation Steering Group for
  TEL26) Major result Digital Divide Blueprint
  for Action, Supporting Micro/SMEs, and
  Considering Next-Generation Technologies and
  their role in Infrastructure Development

12
Developing legal framework to combat cybercrime
in Indonesia

• Adoption of laws is costly and the choice of law
  cannot be taken lightly because it would require
  institutional and resource preconditions
• Legal reform by itself will not result in a
  better business and investment climate because
  enforcement and public trust are the decisive
  factors
• A comprehensive approach needed to remove
  barriers and constraints
• What are the drivers and constraints?
• Examples draft cyberlaw e-signature law

13
BUILDING ON TECHNICAL CAPABILITIES and
TRANSPARENCY
3. TECH- ISSUES

• (1) Limited Resources of Law Enforcement IT
  Cybercrime Unit, National Police (POLRI) is
  staffed only with handful senior investigators
  for a country of 220 million Training has
  started by International Law Enforcement Academy,
  Bangkok, Thailand but only for 2 officers per
  year. Local training is an alternative to
  overcome shortage in forensic and investigator
  specialists. (POLRI) is seeking further
  assistance
• (2) Transparency and trust building between law
  enforcement and the business community is
  essential Indonesias police to work together
  with businesses in dealing with crime. Improved
  privacy/rights protection are needed if
  Indonesian businesses and the police are to
  cooperate effectively (slow progress in the
  implementation of Freedom of Information Law).
• (3) Courts There are deeper problems associated
  with Indonesian court system but there are some
  improvements (e.g. Manulife case)
• (4) ID-FIRST - new forum for stakeholders and
  constituency building for ISPs, universities,
  banks, energypower, telecom others through
  their industry associations. Each to build their
  own Warning And Response Points (WARPs) and
  Computer Emergency Response Teams (CERTs)
  ID-FIRST is to facilitate CERTs and WARPS to
  obtain assistance
• (5) The government to build a National Critical
  Infrastructure Protection Coordination Task Force
  (NCIPC Task Force)
• Without coordinating all (1-5), cyber security
  will be inadequate

14
id-FIRST Background

• Forum for ICT-incident Response and Security
  Teams (id-FIRST Foundation)
• Supervisory Board Forum of industry associations
  (APJII, ASPILUKI, APKOMINDO, ANIMA, INDO-WLI and
  others in FTII, MASTEL AKKI, ICT Watch)
• Task Force of IT Security Teams (ID-CERT,
  ID-ISP-CERT, each industry WARPs/CERTs
• Commissioner Board Authoritative persons
• Executive Board Staffed by professional
• All boards will be elected annually coordinated
  by Founding Board based on industry volunteers
• Current services
• Mailing list abuse_at_apjii.or.id - statistics
  collected
• Responding to inquiries from inoutside Indonesia
• Clearing house for information on IT net
  security

15
International Symposium CERT-RO, August 27-28,
2002 Amsterdam, the Netherlands

• Alternatives in Computer Emergency Response or
  E-Security
• US CERT/CC-Carnegie-Mellon Univ., Pittsburgh
  (established November 1988)
• UK NISCC - UK government, UK CIP Programme
  (established 1992)
• AU AusCERT- Queensland University, Brisbane
  (established October 1992)
• NL CERT-RO - runs Dutch Alerting Service, est.
  by ICTU(test run Sep. 2002)
• AP-CERT Task Force proposed in Tokyo, Japan
  (March 2002) formal est. date March 2003
  APECTEL 27th Meeting in Kuala Lumpur, Malaysia
• EU EuroCERT (97-99), now CSIRT Task Force - 79
  European CERTs
• Workshop 1 CERTs and Critical Infrastructure
  Protection (CIP) - establishing effective
  information sharing and cooperative agreements -
  national and regional level initiatives
• Workshop 2 Pragmatic analysis of what is working
  and what is still needed in cooperation
  coordination

16
The Netherlands Symposium CONCLUSIONS

• Asia ideal for cybersecurity regionalization
  because there are many emerging CERTs and there
  is often only one per country. Trust
  relationships are not easy to establish but
  APCERT/APEC initiative receives strong support
• Europe regionalization started in 1992 has
  been quite successful but all CERTs combined is
  yet to cover all critical infrastructure - there
  are blind spots still. Exchange of information
  about security incidents works well. A standard
  for incident reporting and exchange is being
  developed.
• Alternatives in cybersecurity initiatives
  (business models)
• Academic-sector organizations with premium
  service to the private sector
• US CERT-CC-US Electronic Industry Alliance,
  Au-CERT and others
• Public-private Partnerships with private and
  public financing
• UK Action 2000/Y2K private company, Min of
  Telecom owned, Belgian e-Security Platform (BIPT)
  Austrias CIRCA (MoT and ISPs owned), VDI
  Norway
• Government managed orgs with civil service
  and/or military personnel
• UKs National Infrastructure Security
  Coordination Centre (NISCC)
• Frances CERT-A, Netherlands CERT-RO, Germanys
  CERT-BUND
• US National Infrastructure Protection Centre
  (NIPC) and Information Sharing and Analysis
  Centers (ISACs), USG Sector Liaisons - banking,
  power telecom
• US Presidential Decision Directive 63, 2002 -
  Homeland Security

17
Dependability Development Support Initiative
(DDSI) Conference, Belgium, Oct 10, 2002

• European strategy or Roadmap for Securing the
  Information Society - key aspects
• Warning and Information Sharing (on electronic
  attacks i.e. Hacking, Viruses, Trojan, DDoS,
  etc)
• Public/private Partnerships and
• RD Program (using dependability as an approach)
• Government Mechanisms (US, the Netherlands, UKs
  Information Assurance Advisory Council) and
  International Approaches (EU, OECD and others)
• Dependability (Security, Reliability and Safety)
  in
• Architecture An open or closed network?
  Principle A small central organization and build
  upon existing sharing networks
• Business Model Hybrid funding model - mix of
  public and private sectorfunding for European
  capability to retain its objectivity. EU
  investment should be targeted to stimulate the
  development of a sustainable marketfor network
  security information
• Legal consideration must operate in conformance
  with Community andnational commercial codes and
  privacy legislation

18
Dependability Development Support Initiative
(DDSI) Conference (2) US Strategy

• Draft strategy document The National Strategy to
  Secure Cyberspace (Sept 2002)
• Key coordinators Mr. Richard Clark and Mr.
  Howard A. Schmidt respectively Chairman and VC
  of Presidents Critical Infrastructure
  Protection Board (CIPB)
• Out for comments from the public, due date
  November 18, 2002.
• See http//www.whitehouse.gov/pcipb/ or
  www.securecyberspace.gov
• Key elements of US strategy to secure cyberspace-
• Case for Action Cyberspace Threats and
  Vulnerabilities
• Policies and Principles Guiding the Strategy
• Highlights of the Strategy and
• Five levels of the National Strategy
• Home users and small businesses
• Large enterprises
• Critical sectors (Federal, State Local
  governments, Higher Education, and the Private
  Sector)
• The National Priorities (Certification, Info
  Sharing, Cybercrime,Market Forces, Privacy and
  Civil Liberties, Cyber space analysis,Continuity
  of operations, Recovery and Reconstitution)
• The Global Issues (Coordination through APEC,
  24/7 Coord Centers)

19
Dependability Development Support Initiative
(DDSI) Conference (3) US Strategy

• Key Elements 6 major tools to secure cyberspace-
• Awareness raising and information dissemination
• Technology tools
• Training and education
• Partnership between private sector, academia and
  government
• Federal government leadership role
• Coordination and crisis management
• Partnership for Critical Infrastructure
  Protection
• this is a US public/private initiative in
  cybersecurity ( see http//www.pcis.org/ )
• Headed by Mr. Kenneth C. Watson, Manager of
  theCritical Infrastructure Assurance Group,
  CISCO
• Dept of Commerce Critical Infrastructure
  Assurance Office (CIAO)
• Initiated a series of public cybersecurity
  meetings in several US cities( see
  http//www.ciao.org )
• Sponsored meetings with US State and local
  governments from several States including a
  national-level held in Austin, Texas (Feb 12-13,
  2002)and Princeton, New Jersey, April 23-24,
  2002

20
Dependability Development Support Initiative
(DDSI) Conference (4)

• Information Sharing Network
• Loose voluntary linkage (not a technical comms
  network) of entities includingCERTs, WARPs,
  ISACs and other organizations interested in
  sharing warnings,vulnerabilities, threats and
  incident reports, and providing advice to each
  otherand their own communities
• UKs Neighbourhood Watch - Warning, Advice and
  Reporting Point (WARP)
• Provides warning, advice and reporting services
  on Internet security-related matters
• Similar to a CERT but without a capability for
  responding to incidents (other than providing
  advice)
• Information Sharing Analysis Center (ISAC)
• Conceived in US under PDD63 (1998) for
  coordination between organizations in each CNI
  sector (Energy, Banking/Finance,
  Telecommunications, Transport and others)
• IT ISAC, Telecom ISAC
• Predictive ISACs do not normally share reports
  outside their own (paying) membership
• FIRST Forum of Incidence Response and Security
  Teams - the globalorganization to which most
  major CERTs subscribe (www. first.org)

21
Improve Investment Environment and Unemployment
Alleviation
4. INVESTMENT- ISSUES

• Worsening educated unemployed, most official
  figures underestimate true situation mainly
  heavily concentrated in the cities of Jakarta,
  Bandung, Jogyakarta, Semarang and Surabaya which
  accounted for over 40 of all senior high and
  nearly half of all graduate unemployed in urban
  areas in 1999 (no recent statistics are
  collected)
• Unemployment rates were also highest in these
  cities 19 and over versus a 14 unemployment
  rate among high school graduates in all Indonesia
  in 1999.
• For many unemployed graduates many Internet
  cafes or Warnets provide heaven for carding
  (credit card fraud), hacking and other cybercrime
  activities few convictions but lightly punished
  - no deterrent in the existing laws (even Warnet
  operators are allegedly involved)
• Improving employment by providing opportunities
  for IT/ software development SMEs - scale up
  successes of the development of software
  incubation Balicamp to Balige Tobacamp, Batu
  (Malang) Camp, Bogorcamp, Bandung High Tech
  Valley and others

22
Past Future activities

• Workshops/seminars for awareness raising and
  capacity building
• Indon Infocosm Bus. Community (I2BC) Seminar to
  raise awareness aimed at I2BC members, namely IT
  services, media security firms, Sep 25, 2002
• Indonesias readiness and response to the threat
  of cybercrime Seminar, Showcase and Workshop and
  Launch of Secure-Indonesia-FIRST (Forum for
  ICT-incidents and Security Teams), March 19-22,
  2003, Jakarta
• Policy work on Public Sector Cybersecurity
  Readiness within Min of Comm Info and towards a
  Critical Infrastructure Protection (CIP)
  national coordination body involving others Min
  of Comm Transport, Coord Min of Political and
  Security Affairs, Min of Industry and Trade,
  Coord Min of Economic Affairs, National Planning
  Agency and others.
• Support APECs Cybersecurity strategy work
  Japan, China, Singapore, NZ, Canada, US and
  Australia have indicated particular interest and
  support for AP-CERT
• Support APEC Telecom IT Working Group (APECTEL)
  27th Meeting in Kuala Lumpur, Malaysia as a focus
  on cybersecurity issues (with a special
  additional workshop), 22-28 March 2003
• (see www.apectel27.org.my)

23
Towards a Cybersecurity Roadmap...

• Further activities
• Generate building blocks for Cybersecurity
  Roadmap process
• Overviews- collect info/statistics about
  incidents cybercrime and electronic attack,
  existing warning and information sharing
  initiatives by selected end-users and stakeholder
  identification
• Preparation of background issues and options
  paper
• Set up trust-building forum to share information
• Improve cybersecurity readiness in legal
  framework
• Capability building in computer emergency law
  enforcement agencies but with buffer-zone in
  between
• Capability building in IT incubation economic
  growth response

24
MORE NEXT STEPS - Lessons from European
Regionalization of CERT/CSIRT Efforts

• In order to respond effectively to possible
  attacks or problems one has to know whats really
  going on. Is a script kiddie at work here, a
  foreign security agency, a terrorist, etc.? Who
  should respond?
• Systems by themselves (usually) dont respond to
  attacks. In most cases an incident is only
  identified after the fact.
• APCERT and most countries are still trying to
  come up with a good definition of who are the
  stakeholders/constituents of Critical
  Infrastructure Protection (CIP).
• Probably the definition will be very similar to
  the one that was applied in solving the Y2K
  problem.
• Key question is who decides what CIP consists
  of, and how can this definition be determined?
• Setting up CERT/CSIRT - private sector or
  government-lead - would be a way to concentrate
  security issues and responsibility.

25
MORE NEXT STEPS - Lessons from Euro
Regionalization Efforts (2)

• If the Private Sector turns out to be the most
  significant owners of CIP or critical computer
  systems, then operations of industrial parties
  are usually based on level service agreements
  (LSAs) which may be difficult to influence
• Legislation can be helpful in CIP but doesnt
  provide answers as to who should act in the case
  of a security incidence
• Business continuity and damage minimization
  usually get a higher priority than
  tracing/capturing/prosecuting the perpetrator
• Trust relationships built on personal contact do
  not scale. In the long term another method needs
  to be found, e.g. using certification and
  accreditation methods
• Commercial and governmental concerns may clash.
  In some cases a party may try to deny the
  occurrence of an incident or deliberately
  underrate its significance
• define who, what and how concise definitions
  are needed!

26
MORE NEXT STEPS - Lessons from Euro
Regionalization Efforts (3)

• Dont expect one agency or one group to solve the
  whole CIP problem. Define roles and
  responsibilities establish partnerships to
  tackle CIP.
• A national coordination group of CIP elements
  needs to be convened to develop Cybersecurity
  CIP Roadmap on
• ARCHITECTURE - Central facilitation body and
  networks
• Principle Any initiative should comprise of a
  small central organization and build upon
  existing sharing networks
• BUSINESS MODEL - added-value services for
  specific category of potential customer
• Principle A hybrid/mix of public-private sector
  funding model
• LEGAL- challenges for CIP implementation must be
  identified, e.g
• Competition law, data protection, confidentiality
  and liability
• Principle Must operate in conformance with
  Community and national commercial codes and
  privacy legislation

27
MORE NEXT STEPS - Lessons from Euro
Regionalization Efforts (4)

• To review and consider the whole CIP issue,
  distinguish the following five tasks
• Definition phase
• Task 1 Define CIP (and what are its goals)?
• What it means in the national context, in terms
  of impact?
• Who should be involved? Effectiveness of
  arrangements onexisting CERT (include virus
  alert systems) in preventing, detecting,and
  reacting efficiently at national level against
  network and information system disruption and
  attack?
• Task 2 Define roles and responsibilities
• Who does what?
• What is the role for CERTs and National CIP
  Coordination?
• The layers of responsibility
• Political and policy vs.
• the operational day-to-day

28
MORE NEXT STEPS - Lessons from Euro
Regionalization Efforts (5)

• Pre-operational phase Task 3 Organise the
  participation of the parties involved
• Operational phaseTask 4 Define the structure
  in which CIP should be organised e.g., a joint
  task force? Use overseas examples, approaches
  and lessons learned
• Task 5 How to implement CIP by defining and
  developing measures?
• Awareness building
• Risk management
• Consequence management
• Information sharing

29
MORE NEXT STEPS - Asia Pacific Regionalization
Effort APCERT-APECTEL26 Initiative (6)

• Integrate national teams into APCERT community
• Establish more CERT/WARPs near to the end users
• Implementation of national schemes of cooperation
• Bottom-up approach in accordance with CIP
  structures
• CERT of last resort, National CIP/CSIRT
  Coordination
• From trust to expectations (trust relationship
  build on personal contact do not scale) - longer
  term alternatives
• Standardization
• Accreditation
• Certification
• Actively involving new CERTs and helping themset
  an appropriate level of expectations for their
  service

30
MORE NEXT STEPS (7) Proposed Relationships
APCERT-Task Force and AP Security Incidents
Response Coordination
TH
SG
NZ
US
MY
RU
AU
PH
VN
MX
PR
KH
CA
ID
JP
KR
TW
HK
CN
APCERT
JP-ISP CERT
ID-Vendor CERT
APSIRC
ID-Gov CERT
JP-Gov CERT
ID-ISP CERT
JP-Vendor CERT
31
Future direction in combating cybercrime

• Cybersecurity Roadmap needed on
• Define Architure, Roles and Responsibilities
• Business Model, Funding and Contributions
• Facilitating Technical Assistance
• Work on Legal Framework and New Guidelines
• Day-to-day Operational Advisories (email web)
• www.cert.or.id, www.secure-indonesia-first.or.id
• Document translation (in Indonesian English)
• Ticketing system for incident handling
• Scrubbing of sensitive incidents data
• Support from others Indonesia Internet Business
  Community (I2BC), Info-comm (MASTEL) Society, MCI
  and Donors ICT Group for Indonesia

32
Concluding comments

• Building blocks of cyber security strategy -
  legal, technical and investment issues - must be
  seriously considered by both private sector and
  government - BEFORE - cyber attacks gets worse.
• There are some late-comer advantages for
  Indonesia and other developing countries on
  policy preparations work because
• There are emerging global and regional efforts
  (UN-General Assembly, Council of Europe, APEC,
  European Union)
• Possible initial support from donor organizations
  through the Donor ICT Group for Indonesia (World
  Bank - formally leading the group)
• Cybersecurity preparation is less costly if
  private and public sector work together, minimize
  risk and share cost
• Outcome of cybersecurity strategy will depend on
• Trust-building focus - both private and public
  sectors
• Private sector (e-security/ICT ind) lead public
  input in debate
• Private sector, government and donors effective
  cooperation

33
JOIN ID-FIRST NOW,
Fight Cybercrime Together !!
34
URL addresses

• APECTEL http//www.apectel.org OECD
  http//www.oecd.org
• European CERT discussions http//www.ddsi.org,
  http// www.iaac.org.uk, http//ewis.jrc.int
• United States http//www.cert.org,
  http//www.cybercrime.gov, http//www.usdoj.go
• Australia http//www.aucert.org.au, http//
  www.cript.org.au, http//www. noie.gov.au
• Netherlands http//www.cert-ro.nl
• United Kingdom http//www.niscc.gov.uk
• International forum for CERTs http//www.first.or
  g
• Canada http//www.CanCERT.org.ca
• Mexico http//www.MxCERT.mx
• Japan http//www.JpCERT.or.jp
• Malaysia http//www.mycert.org.my
• Singapore http// www.singcert.org.sg
• Thailand http//thaicert.nectec.or.th/
• Taiwan http//www.cert.org.tw

35
Thank You

• Please provide feedback toIdris F.
  SulaimanTel 62 21 520 1047 Fax 62 21
  521 0311Email idris_at_pegasus.or.id
• WebsitesPartnership for Economic Growth (PEG)
  Project www.pegasus.or.id
• Related USAID ICT Projects/ActivitiesEconomic,
  Law, Institutional Professional
  Strengthening (ELIPS) Project
  www.elips.or.idThe Asia Foundation, Indonesia
  www.tafindo.org
• USAID Indonesia www.usaid.gov/id