Cybersecurity guide for developing countries - ITU

Cybersecurity
guide for
developing
countries
Edition 2007
[pic]
© ITU 2007 All rights reserved. No part of this publication may be reproduced in any
form or by any means without written permission from ITU. Denominations and classifications employed in this publication do not imply
any opinion on the part of the International Telecommunication Union
concerning the legal or other status of any territory or any endorsement or
acceptance of any boundary. Where the designation "country" appears in this
publication, it covers countries and territories.
Disclaimer
References to specific countries, companies, products, initiatives or
guidelines do not in any way imply that ITU endorses or recommends the
countries, companies, products, intitiatives and guidelines in question
over other similar ones which may not be mentioned. Opinions expressed in
this publication are those of the author and do not engage ITU. PrEface
[pic] The Geneva and Tunis Phases of the World Summit on the Information Society
(WSIS) brought together international organizations, governments,
businesses and civil society to agree on a common vision for the
information society. However, we can only transform this common vision into reality for all the
peoples of the world if we can ensure the security of online transactions,
protect critical information infrastructures, and safeguard information
systems and data on which businesses, citizens and governments rely. Inadequate cybersecurity solutions, absence of a common understanding on
the issues and the need to address this problem globally are just some of
the challenges we must collectively face. The International Telecommunication Union (ITU) in its role as
Moderator/Facilitator for WSIS Action Line C.5 - Building confidence and
security in the use of ICTs is committed to working with all stakeholders
to arrive at a common understanding of the challenges and to put together
our collective resources to build a global framework for security and
trust. I invite you all to join us in our efforts to work towards transforming
this vision of building a global and secure information society into
reality. [pic] Dr Hamadoun I. Touré Secretary-General
International Telecommunication Union
Foreword
[pic] The emergence of a global and borderless information society brings new
opportunities to all countries worldwide as technologies play an even more
important role in social and economic development. Services in the health,
educational, business, finance and public administration sectors are
possible thanks to ICT applications ICTs also bring new challenges which must be addressed if we are to
securely conduct e-health transactions, enable citizens to access e-
government services, provide the necessary trust for online commercial and
business transactions and maintain the integrity of our information
technology systems and resources. Putting in place adequate security and trust solutions is therefore one of
the main challenges that the ITU Telecommunication Development Bureau has
to address as it pursues its efforts in assisting countries in the use of
telecommunications and ICTs. The borderless nature of the information society also means that for
solutions to be addressed there must be a common understanding amongst all
nations of the potentials of secure ICT applications and the challenges
faced in building trust and security. It is therefore imperative that in
addition to working towards bridging the digital divide, we also make
efforts in bridging the knowledge divide by raising basic awareness and
building human and institutional capacities. The guide is intended to give developing countries a tool allowing them to
better understand some of the issues relating to IT security, and provide
them with examples of solutions that other countries have put in place in
order to deal with these problems. It also refers to other publications
giving further specific information on cybersecurity. The guide is not
intended as an exhaustive document or report on the subject, but rather as
a summary of the principal problems currently encountered in countries
wishing to take advantage of the benefits of the information society. The content of the guide has been selected to meet the needs of developing
and, in particular, least developed countries, in terms of the use of
information and communication technologies for the provision of basic
services in different sectors, while remaining committed to developing
local potential and increasing awareness among all of the stakeholders. In order to avoid any duplication in the treatment of these subjects, the
work already accomplished within the framework of ITU-T Study Group 17 was
duly taken into account in elaborating the content of this publication, as
were the other existing studies and publications in this area. [pic] Sami Al Basheer Al Morshid Director
Telecommunication Development Bureau Executive Summary
Social issues, the economy, public policy, human issues: whichever way one
looks at it, and whatever one calls it (IT security, telecom security),
cybersecurity touches on the security of the digital and cultural wealth of
people, organizations and countries. The challenges involved are complex,
and meeting them requires that there be the political will to devise and
implement a strategy for the development of digital infrastructures and
services which includes a coherent, effective, verifiable and manageable
cybersecurity strategy. Obtaining a level of information security that is sufficient to meet
technology and information risks is essential for the proper functioning of
governments and organizations. The widespread use of digital technologies
goes hand-in-hand with increased dependency on those technologies and
interdependency of critical infrastructures. This creates a non-negligible
vulnerability in the functioning of institutions, potentially endangering
them and even undermining the sovereignty of the State. The goal of cybersecurity is to help protect organizations' assets and
resources in organizational, human, financial, technical and information
terms, allowing them to pursue their mission. The ultimate objective is to
ensure that no lasting harm is done to them. This consists of reducing the
likelihood that a threat materializes; limiting the resulting damage or
malfunction; and ensuring that, following a security incident, normal
operations can be restored within an acceptable time-frame and at an
acceptable cost. The cybersecurity process involves the whole of society, in that every
individual is concerned by its implementation. It can be made more relevant
by developing a cyber code of conduct for appropriate use of ICTs and
promulgating a genuine security policy that stipulates the standards that
cybersecurity users (entities, partners and providers) will be expected to
meet. To set up a cybersecurity process, it is important to identify correctly
the assets and resources that need to be protected, so as to accurately
define the scope of security needed for effective protection. This requires
a global approach to security, one that is multidisciplinary and
comprehensive. Cybersecurity does not sit well with a freewheeling world
that places a premium on permissiveness. What is required is a set of core
principles of ethical behaviour, responsibility and transparency, embodied
in an appropriate legal framework and a pragmatic body of procedures and
rules. These must be enforced locally, of course; but they must also be
applied across the international community and be compatible with the
existing international directives. To avoid creating opportunities for crime to grow, the existing
telecommunication infrastructures must include suitable security measures
of a technical as well as a legal nature. Attacks via cyberspace can take
many forms: the clandestine hijacking of a system, denial of service,
destruction or theft of sensitive data, hackers breaking into the network,
cracking of software protection, phreaking (which includes sabotage,
hijacking of telephone exchanges and more). The costs are invariably borne
by the victims, i.e. the organizations and individuals who have been
targeted. Considered as a system, telecommunication (both infrastructur