If you are having trouble viewing this email, click here to view this online

 

VOLUME 80

   ISSUE 80

23 March 2018

Article of the Month Around the World

Overview of the National Information and Cyber Security Strategy
 

 

‘Around the globe, digital technologies have evolved into a powerful economic tool that has improved quality of life of citizens and transformed the way that governments, businesses, and citizens connect, engage, and access information and services. Many societies are now dependent on digital technologies which has led these technologies to be considered as a fundamental social infrastructure.


Along with their numerous benefits digital technologies also brings with them numerous cyber threats. The global number of cyber security incidents recorded in 2015 is 59.06 million1. A study estimates that the total annual cost of all data breaches by 2019 will be $2.1 trillion which is almost four times the estimated cost of breaches in 20152. In Sri Lanka, The Sri Lanka Computer Emergency Readiness Team | Coordination Centre (Sri Lanka CERT|CC) has received 3907 cyber security related incidents in 2017, which is a significant increase from 2010.


In this context, we, the government of Sri Lanka, seeks to show our commitment to keep the nation safe, secure and prosperous, by introducing Sri Lanka’s first Information and Cyber Security Strategy which will be implemented over period of five years from 2018 to 2023. Our strategy aims to create a resilient and trusted cyber security ecosystem that will enable le Sri Lanka
 

Our strategy is underpinned by six pillars:

1. Establishment of a governance framework to implement national information and cyber security strategy

2. Enactment and formulation of legislation, policies, and standards to create a regulatory environment to protect individuals and organizations in the cyber space

3. Development of a skilled and competent workforce to detect, defend and respond to cyber attacks

 4. Collaboration with public authorities to ensure that the digital government systems implemented and operated by the them have the appropriate level of cyber security and resilience

5. Raising awareness and empowering citizens to defend themselves against cyber crimes

6. Development of public-private, local-international partnerships to create a robust cyber-security

Thrust # 1: Establishment of the Governance Framework

Our Strategy


In 2006, the government of Sri Lanka established Sri Lanka CERT|CC as the single trusted source of advice on the latest threats and vulnerabilities affecting computer systems and networks, charged with the responsibility of providing technical support in responding to and recovering from Cyberattacks. Sri Lanka CERT was established under the Information and Communication Technology Agency (ICTA) of Sri Lanka, and comes under the purview of the Ministry of Telecommunication and Digital Infrastructure.


As the complexity of the cyber security ecosystem increases, the government of Sri Lanka recognizes the necessity of introducing a national information and cyber security strategy to cope with emerging threats. It is a high-level top-down approach to information and cyber security that establishes a range of national objectives and priorities that should be achieved in a specific timeframe.


In line with the strategy, a National Information and Cyber Security Agency will be established. The Agency will be responsible for overseeing the implementation of the cyber security strategy, setting national polices, facilitating the protection of critical national infrastructure, educating citizens, building a pioneering technology competent workforce, and promoting industry development
 

“Our strategy is to establish a powerful agency which oversees the overall implementation of the information and cyber security strategy of Sri Lanka, and to establish specialized subordinate agencies for effectively battling emerging cyber threats”

1.1. Establishment of the National Information and Cyber Security Agency of Sri Lanka (NICSA)

NICSA will be established as the apex institution for all cyber security related affairs in Sri Lanka. The Agency mandate shall be to oversee the implementation of the national information and cyber security strategy.

1.1.1. Agency shall be governed by a high-level committee which comprises of the representatives of Ministries involved in the Defence, Justice, Finance, ICT and Telecommunication, Media, and Public Administration. The Head of the Agency shall represent the National Security Council of Sri Lanka.
The agency shall,

1.1.1. Function as the command and control body to promote this strategy and play a leading role in implementing cyber security initiatives set forth in this strategy.

1.1.2. Provide technical support for law enforcement authorities in conducting digital forensic investigations.

1.1.3. Build the capacity of sectoral CERTs and facilitate Sri Lanka CERT|CC to coordinate with sectoral CERTs for sharing incident information, best practices and other security related information.

1.1.4. Provide technical support to government bodies such as Ministries, authorities, boards, corporations etc.

1.1.5. Disseminate emerging cyber threat warnings to all Sri Lankans.

1.1.6. Act as a certification body issuing licenses for firms conducting information security related services.

1.2. Institutions Under the NICSA

1.2.1. We will continue to operate Sri Lanka CERT|CC as the National CERT to protect users in the public and private sector organizations and the general public by providing up-to-date information on potential threats and vulnerabilities and by undertaking computer emergency response handling services.

1.2.2. We will set up a 24 X 7 Cyber Security Call Center with a focus on assisting citizens, government organizations, and private firms to respond to cyber security incidents.
1.2.3. We will set up a National Cyber Alert System with the involvement of Internet Service Providers (ISPs) and Telcos to deliver targeted, timely, and actionable information to Sri Lankans and to educate citizens on how to secure their computer systems.

1.2.4. We will establish a Digital Forensic Lab to conduct digital forensic investigations and examinations in the areas of computer forensics, mobile forensics, audio forensics, video forensics and so forth.

1.2.5. We will establish the National Cyber Security Operating Centre (NCSOC) for monitoring threats to digital government applications, critical information infrastructure, and critical systems of private firms.

1.2.6. We will establish the National Certification Authority (NCA) by addressing the limitations of the existing certificate authorities.

1.2.7. We will establish a Research Unit for developing, coordinating and stimulating continuous research activities in the fields of Strategic Policy Research, Information Security Research, Cyber Security and Technology related research.

1.2.8. We will appoint Chief Security officer positon and Information Security officers for public service (Refer Thrust Area 3).

1.3. Monitoring and Evaluation (M&E) Framework

A comprehensive results based M&E framework will be developed to assess and measure the performance of the outcomes and outputs as a result of the implementation of the strategy.

To be continued.....

Invitation to Public Comments on Cyber Security Strategy. Please add your thoughts here:

 

By:

Dr. Kanishka Karunasena,

Research and Policy Development Specialist, Sri Lanka CERT



 

 

 

 

 

 

 

 

 

 


 




 

 

 

 

 

 

 

 

 

 

 

 

References

1 Statistics on the Internet growth in Sri Lanka
http://www.trc.gov.lk/images/pdf/
statis_sep_2012.doc
2.The Dragon Research Group (DRG)
http://www.dragonresearchgroup.org/
3.TSUBAME (Internet threat monitoring system) from JPCERT | CC
https://www.jpcert.or.jp/english/tsubame/
4.Shadowserver Foundation
http://www.shadowserver.org/wiki/
5. Team Cymru
http://www.team-cymru.com
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 
  
  Facebook will limit developers’ access to account data
  

  

"...In the wake of the Cambridge Analytica scandal, Facebook has announced further limits it’ll be placing on apps that gain access to your account. Developers will now receive less information in the first place, they’ll be cut off from access when people stop using their app, and they’ll have to get Facebook’s approval to access more detailed information...."

 

GOOGLE PATCHES 11 CRITICAL BUGS IN MARCH ANDROID SECURITY BULLETIN

  

"...Google patched 11 critical vulnerabilities in its Android operating system this week, seven of which are remote code execution bugs. In total, 37 flaws were patched, with 26 rated as high severity...."

  Nmap 7.70 released: Better service and OS detection, 9 new NSE scripts, and more!
   

 

'...Nmap 7.70 includes hundreds of new OS and service fingerprints, 9 new NSE scripts (for a total of 588), a much-improved version of the Npcap Windows packet capturing library/driver, and service detection improvements to make -sV faster and more accurate, and much more....'

iOS 11 is Apple’s Vista

   

  

'...I’ve had problems with iOS, Apple’s operating system for iPhones and iPads, for ages. In particular, it has seemed as if every new update would break Wi-Fi networking in a new and interesting way. But iOS 11 — well, iOS 11 is special.

Ever since iOS 11 rolled out in September 2017, it’s been one thing after another. Let us count the ways......'

What Federal Mobile Security is Missing

  

'....Leading U.S. intelligence agencies recently issued a warning to Americans to not buy Chinese-made smartphones. Companies like Huawei and ZTE are known to have close ties to the Chinese government, and U.S. agencies appear to have reason to suspect these companies of cyber espionage....'

Month in Brief
Facebook Incidents Reported to Sri Lanka CERT|CC in February 2018
     
  Statistics - Sri Lanka CERT|CC

From IDF to Inc: The Israeli Cybersecurity Startup Conveyor Belt

'...One definition of 'entrepreneur' is "a person who organizes and manages any enterprise, especially a business, usually with considerable initiative and risk." If Israel were a business, then its founders were entrepreneurs; and there is little wonder that the nation is imbued with an entrepreneurial spirit.....'

Facebook’s trust crisis: Has it harmed democracy?

"...Almost 4 out of 10 Americans (39 percent) said: “Facebook is not a responsible company because it puts making profits most of the time ahead of trying to do the right thing.” Less than 1 in 3 (31 percent) said that Facebook is a “responsible company because it tries to do the right thing most of the time even if that gets in the way of it making profits.” The rest were unsure... .."
MIT UNLEASHES A HYPNOTIC ROBOT FISH TO HELP SAVE THE OCEANS

“...Moby Dick, the pure-white fish wiggles slowly over the reef, ducking under corals and ascending, then descending again, up and down and all around. Its insides, though, are not flesh, but electronics. And its flexible tail flicking back and forth is not made of muscle and scales, but elastomer.....”
Everything you need to know about IBM's Watson Assistant

."...This could mean a hotel guest ordering room service through a voice interface, or a car manufacturer creating their own voice assistant embedded within the dashboard.

IBM is looking to simplify the process of building a voice assistant, right down to the specific actions and commands, and is offering a catalogue of pre-built industry assistants to help developers hit the ground running. Customers can train the assistant with their own data sets and analytics are included in the package too....."

 
Notice Board
  

Training and Awareness Programmes - March  2018

  
DateEventVenue

Brought to you by: