cscoe asis v2
TRANSCRIPT
Booz & Company
This document is confidential and is intended solely for the use and information of the client to whom it is addressed.
Developing a Security Megacommunity Case Study for the development of an International Cyber Security Initiative
ASIS European Security Conference Lisbon, 19th April 2009
NCEMABooz & CompanyDATE
2
The world that we operate in is increasingly globalized and interconnected -- requiring new approaches also for Security Our world today is driven by a constantly evolving set of security threats, with terrorist groups,
health epidemics, natural disasters and financial shocks conspiring, individually and collectively, to disrupt global markets, incite conflict, reduce prosperity, and impact our basic security.
These issues that threaten national, homeland and economic security are increasingly dangerous due to the unprecedented integration of the international economy – and the modern technologies that both link geographically dispersed populations and simultaneously enable their destabilization.
Our increasingly globalized and interconnected world is creating issues that are too large for any one authority to solve alone – the situation calls for a new type of tri-sector leadership in which business, government and nonprofits work together in a state of permanent negotiation.
To be effective, tomorrow’s leaders will need to reach across traditional sector divisions to form a collaborative “megacommunity.”
A common question emerges: How can leaders confront these challenges?
A common question emerges: How can leaders confront these challenges?
NCEMABooz & CompanyDATE
3
The Megacommunity thinking recognizes the necessity of business, government, and civil society in working together on issues …
A Megacommunity is a collaborative socio-economic environment in which business, government, and civil society interact according to their common interests, while maintaining their unique priorities
Tri-Sector Engagement
Overlapping Vital Interests
Convergence
Structure
Adaptability
Levers of Influence
Levers of Influence
Levers of Influence
MEGA-COMMUNITY
CIV
IL SO
CIE
TY
BUSINESS
GO
VE
RN
ME
NT
A megacommunity relies on the dynamic tension that exists among all three sectors – each sector uses its levers of influence to interact with the other sectors to solve a
mutually recognized problem
NCEMABooz & CompanyDATE
4
A Megacommunity is the space in which complex problems exist, and are addressed
A Megacommunity is a lens in which to examine a complex problem in a new way
Megacommunities are determined by the existence of tri-sector engagement and an overlap in common interest
The objective for each organization operating in a Megacommunity is achieved by:
– Optimizing its interests instead of maximizing, all participants gain
– Operating in a Megacommunity is not a zero-sum game
For clarification, a Megacommunity is not:
– another name for corporate social responsibility or philanthropy
– another international/intergovernmental forum (e.g., The World Economic Forum)
– a really big community of interest
– a collection of like-minded actors
– an advanced form of public-private partnerships
… providing a fresh solutions-oriented perspective to address seemingly intractable problems …
To be published by Palgrave Macmillan in March 2008
NCEMABooz & CompanyDATE
5
…and shifts the way organizations need to approach problems in a complex, interconnected environment
Organizations from the public, private and civil sectors deliberately join together around a compelling issue of mutual importance
Participants remain independent but their common interest compels them to work together
Participants benefit from shared capabilities
Leaders are engaged and implement a common set of practices and principles that influence organizations other than their own to achieve results
Participants focus on relationships and listen to other perspectives in order to reach a common goal
View problems and potential solutions from the perspective of a single organization, not taking account diverse stakeholders
Collaborate only to maximize objectives for an individual organization
Leaders create operating principles exclusively tailored to and used in their own organization
A limited degree of openness, trust and collaboration between organizations with disparate objectives
Megacommunity ApproachTraditional Approach
NCEMABooz & CompanyDATE
6
This approach can be applied to the cyber security challenge
1) Internet crime complaint center (I3C) Report 2008; Booz & Co. Analysis
Cyber Threats can have a dramatic impact on our Society
All Critical services (energy, transportation, government, etc) depend on Digital Infrastructure, that could be compromised causing severe impact on our society
Cyber Crime is on the rise (US$ 1,4 billion per year (1)) New threats scenarios are quickly emerging thanks to new “Web”
cooperation models Potential impact is rapidly increasing due to digitalization of vital
information and activities Cyberwar is an emerging scenario: (Estonia 2007, Georgia 2008) and
Massive Attacks (Italy 2007) US Cyber Consequences Unit estimates that a 10 days attack to the US
Internet Infrastructure could have an impact of 70% of US GDP
Challenges Move away from a purely technical view towards a global
shared approach with Political Vision, Strategy, Policies and Standards
Develop higher coordination and governance Cyber Security requires advanced cooperation models
focused on Research and Information Exchange There is big gap of specialized capabilities, innovative
research, skills and knowledge development Problem set is full of hidden interdependencies
NCEMABooz & CompanyDATE
7
Governments are starting to put their weight behind the problem
"I believe Europe must do more for the security of its communication networks. Europe needs a security tsar with authority to act immediately if a cyber attack is underway, a Cyber Cop in charge of the coordination of our forces and of developing tactical plans to improve our level of resilience.“ Viviane Reding, Commissioner, EC Directorate General for Information Society and Media, April 2009
Examples of Recent National Cyber Security Initiatives
"Cyberspace is real, and so are the risks that come with it. This is a matter of public safety and national security. We know that cyber intruders have probed our electrical grid and that in other countries cyber attacks have plunged entire cities into darkness. In short, America's economic prosperity in the 21st century will depend on cyber security. ” Barack Obama, President, United States of America, May 2009
Australian Government Cyber Security Strategy 2009
UK Government Cyber Security Strategy 2009
US Government Cyber Security Policy Review 2009
French White paper on Defence and National Security 2009
EstonianCyber Security Strategy2008
Prepared for client nameCSCoE ASIS v2.pptBooz & CompanyDATE
8
A Cyber Security Megacommunity Case
Study
NCEMABooz & CompanyDATE
9
In the last year we have been working for the creation of a cyber security megacommunity through 2 specific and related initiatives
Global Cyber Security Center
(GCSC)
MOU signed on 30th June 2009
Founders: US Secret Service, Italian Police and Poste Italiane
Objectives: develop a European Electronic Crime Task Force
Voluntary basis Infosharing on cyber crime
European Electronic Crime
Task ForceLevers of Influence
Levers of Influence
Levers of Influence
MEGA-COMMUNITY
CIV
IL SO
CIE
TY
BUSINESS
GO
VE
RN
ME
NT
Objectives: develop an international cyber security center
Location: Rome Membership basis Non for profit Foundation
NCEMABooz & CompanyDATE
10
The vision for the GCSC defines the ideal state of a digital community and what needs to be done to achieve it
International cyber community of
people, businesses, and governments…
…interacting safely and confidently…
…across a shared digital medium
Vision
The user base of a global cyber community drives demand and growth of the digital economy
The user base must be safe from threats on the Internet, and they must believe that they are safe and their information / services are not compromised
Since no single entity owns the Internet, multiple international players share the responsibility for managing it properly
Components of Vision
Reduce the “security divide” by increasing the size of the user base and relative security knowledge
Protect the Internet from bad things, and protect people, businesses, and governments from bad things on the Internet
International cyber community of people, businesses, and governments interacting safely and confidently across the internet medium
Contribute to the cohesiveness and interaction of global task forces protecting the Internet infrastructure. Promote research and knowledge on vulnerabilities and countermeasures.
Actions
NCEMABooz & CompanyDATE
11
The design of the Cyber Security CoE has been structured around 5 core area
Cyber Security CoE Model - Analyzed Dimensions
Operational Model &
Activities
Partnership Model
Funding Model
Expected Benefits
GCSC
Governance &
OrganizationModel
1
23
4
5
1
3
5
4
2
Governance & Organizational Model:
– What are the potential legal models that could be adopted for the Cyber Security CoE ? Pros and Cons ?
– What would be the core organizational construct ?
Operational Model & Activities:
– What will be the reference “megacommunity” that will be managed?
– What should be the activities ? What are the required skills ?
Partnership Model:
– Who should be the stakeholder group of partners / experts to be involved in activities ?
– Which ones are core Vs nice to have ?
Funding Model:
– How will the GCSC finance itself ? What sources of funds ?
– How much will it need to develop it’s activities and objectives ?
Expected Benefits:
– What will be the specific benefits for each stakeholder group ?
– How can we measure the results ?
Operational Model & Activities
All Interrelated !
NCEMABooz & CompanyDATE
12
The GCSC will combine various stakeholders into a shared and organized construct
Cy
be
r S
ec
uri
ty M
eg
ac
om
mu
nit
y
Private SectorPartners
Network of Experts
National Institutions
InternationalInstitutions
Academia
A strong cooperation and mutual benefit formula is a key success factor for GCSC
Operational Model
Media
NCEMABooz & CompanyDATE
13
The Centre will perform various core activities …
Constant monitoring of developments around cyber security on selected thematic areas. Initiate research activities on selected primary topics. Develop a “living lab” concept.
Support to the formulation of selected new policies and harmonization of them between different countries
Conduct of highly specialized training, host seminars and other activities
Organization, marketing and management of all the CoE communication activities / events of different types
The CoE will have to promote information sharing between different actors
Training & Skill Development
Research and Observatory
Information Sharing
Communication & Awareness
Policy, Standards and International Cooperation Cyber Security
Centre of Excellence
NCEMABooz & CompanyDATE
14
… and work on an initial set of core reseach pilars
All three topics share the same objective:Securing Internet and Digital Services for Society
Users - New Frontiers of Digital Identity: Digital Identity is a key element of Digital
Services. The Centre will work to develop new solutions / best practices to allow citizens
and organizations to access Digital Services in full security.
Infrastructure - Internet Infrastructure Security: the Digital Infrastructure
vulnerabilities are used to compromise services and attack systems. The Centre will
define and test new technologies and approaches to protect Digital Infrastructure
(example Naming and Addressing Systems, DNSSec, Internet Routing, etc).
Threat - New approaches to fight Cyber Crime: the evolution of Cyber Crime requires
new approaches to fight it. The Centre will work on International Cooperation and
Information Exchange, Real Time Monitoring & Analysis, Incident and Crisis
Coordination & Cooperation and Digital Live Forensics.
NCEMABooz & CompanyDATE
15
CERT - Information Sharing
Cyber Security Lab Definition
– Controlled research and testing environment for tests, proof of concepts, simulations and exercises
Objectives
– Provide an international, vendor-neutral environment for cyber security testing and simulation
– Lab can be used for Cyber Security exercies
Definition
– Support the sharing of information between CERTs, research labs, private companies and government agencies
Objectives
– Support the development of Information Sharing capabilities in the International CERT community
– Support the improvement of CERT’s Incident Response capabilities
Selected Examples
Global Incident MapOSF Dataloss DB
PREDICT RepositoryDETER Network Security Testbed
Additionally the Center will develop also a technology “test lab” and a CERT support center
NCEMABooz & CompanyDATE
16
Poste Italiane, US Secret Service and Italian Postal & Communication Police created on June 30 a “European Electronic Crime Task Force - EECTF”
EECTF Founders Main Steps of EECTF Creation
May / June 2009: Poste Italiane decide to create a European Electronic Crime Task Force (modeled to the US ones) and involve two key stakeholders (Italian Communication Police and US Secret Service) that are willing to participate
June 30 2009: Poste Italiane signs together with the US Secret Service and Italian Postal & Communication Police a “Memorandum of Understanding” to establish a European Electronic Crime Task Force
September 2009: founders define EECTF governance model and start to organize first “launch” meeting for March 2009
March 16th 2010: first ECTF meeting with more than 40 European organizations involved, including various law enforcement agencies, financial institutions and speakers from US Secret Service, Italian Police and Poste Italiane.
European Electronic Crime Task Force
NCEMABooz & CompanyDATE
17
Lesssons Learnt
You must have an overall impelling need which cannot be solved by a single entity
You need a passionate and visionary leader (s)
You need to understand specific value drivers of different stakeholders
You need strong cultural change to overcome natural barriers - nothing is for granted (!)
You need a clear agenda and financing
You need to focus on the key partnerships rather than technical specifics
Have clear “business plan” and governance model
Be flexible, flexible and again flexible