What was learned while developing Bhutan’s first National Cybersecurity Strategy

Cyber Security CII sector, Industry News
While the introduction of information and communication technologies (ICTs) brings undeniable benefits in terms of speed and efficiency of digital transformation, it can also significantly expand the cybersecurity risk landscape or “attack surface.”
Adopting and implementing an NCS can be particularly challenging for developing countries as it requires significant economic, human, and organizational resources. Committed to supporting governments by building capacity and transferring knowledge, ITU hosted a webinar on NCS development and implementation where international experts discussed key actions to build cybersecurity resilience and readiness.
A critical contribution came from the Bhutan Computer Incident Response Team (BtCIRT). We decided to share lessons learned while developing our NCS since Bhutan’s experience not only demonstrates the typical cybersecurity challenges faced by developing countries, but also how developing an NCS can turn these challenges into opportunities for stronger cybersecurity.
Embarking on a journey
Bhutan’s journey toward the definition of its first NCS began in 2012 with a readiness assessment conducted by ITU to measure not only the cybersecurity maturity level of the Kingdom of Bhutan, but also its cyberthreat landscape.
Following the assessment, the Bhutan Computer Incident Response Team (BtCIRT) was formally established in April 2016. The BtCIRT operates under the Department of IT & Telecom (DITT) of the Ministry of Information & Communications. Our formal mandate is to provide both reactive and proactive cybersecurity services to the entire nation, including guiding the development of a national strategy.
After a number of iterations, the first version of the NCS was finalized in October 2020 through two rounds of task-force workshops. At the time of writing, the NCS is awaiting public consultation after which it will be submitted to the Cabinet of Bhutan for approval.
Overcoming hurdles
Explaining the importance of cybersecurity and the necessity for a strategy was one of the most significant initial challenges. Despite the great engagement of the Kingdom of Bhutan in ICT development, many government and private sector leaders are from non-technical backgrounds. In a country where digital transformation is a work in progress, awareness of the importance of cybersecurity remains a big challenge. Senior management perceived cybersecurity as a purely technological problem with limited impact on other domains. In reality, cybersecurity is a shared responsibility that needs multidisciplinary and structured solutions from top management.
Another key challenge was gaining support and buy-in from stakeholders. As the NCS is a national endeavour and roadmap to achieving a safer online environment, it needs to cater to the whole country to ensure that it is comprehensive and inclusive through the involvement and collaboration of all stakeholders.
Not all perceived cybersecurity as a priority, and others held different views on how to implement it. It was challenging to bring everyone together in the first place, and even more difficult to achieve consensus on strategic direction and specific areas of concern.
Visibility, funding and partnerships key
Given this was the first time developing a National Cyber Security Strategy for Bhutan, all challenges constituted an important learning experience and an opportunity to enhance the country’s cybersecurity maturity.
First, developing the NCS spread cybersecurity awareness and visibility throughout the institutional apparatus. In Bhutan, the government accords the highest importance to digital transformation and information and communication technologies. The high-level ICT steering committee, with members representing top management from every sector (government, public and private), drives and monitors the implementation of ICT projects.
In terms of funding, the Department of IT & Telecom secured a dedicated budget projected over 5 years for the implementation of the NCS. Identifying critical information infrastructure, conducting cybersecurity awareness training and cybersecurity capacity building are among the initial activities to be carried out. The Strategy also clearly identifies stakeholders and their responsibilities.
After the approval of NCS, three working groups will be formed. The legal group will carry out the assessment on cybersecurity legislation, the Child Online Protection group will develop guidelines, and the Technical group will develop relevant security requirements and guidelines. All activities will be monitored monthly by BtCIRT and issues will be escalated to the High-Level ICT steering committee.
Finally, the public-private partnership model presents a potential opportunity to further build cybersecurity awareness in Bhutan. As the BtCIRT is limited in terms of human resources and capacity, it could improve incident reporting and handling, as well as enhance knowledge sharing. To that end, the implementation strategy includes a plan to set up sectoral Security Operation Centers to improve cybersecurity in critical sectors.
Looking ahead
The last two decades have seen the Kingdom of Bhutan undergo a far-reaching digital transformation, especially in terms of delivery and adoption of digital services.
Another recent trend is that many Bhutanese people have embraced cardless transactions. More recently, due to the COVID-19 pandemic, the health and education sectors have adopted innovative measures for service delivery.
As Bhutan continues its digital transformation work, global and national capacity building in this field remains a necessity for the successful development of National Cybersecurity Strategies. The result is not only the betterment of countries’ cybersecurity posture, but an opening of opportunities that will enable the benefits of digitalization to reach more citizens, for an altogether more sustainable digital future.
Leave a comment , ,

Building a solid foundation for measuring the impact of cybercrime

Agency News, Cyber Security CII sector, Industry News
INTERPOL and the Council of Europe, in the framework of the GLACY+ Project, cooperate in publishing the Guide for Criminal Justice Statistics on Cybercrime and Electronic Evidence.
While many governments recognize the need to take action against cybercrime, they face difficulties in defining the problem at hand.
To effectively tackle the multifaceted and imperceptible nature of cybercrime, criminal justice authorities need a good understanding of the scale, types and impact of the crime. For this reason, the Council of Europe and INTERPOL have jointly developed the Guide for Criminal Justice Statistics on Cybercrime and Electronic Evidence to support countries develop a clearer vision of the global problem.
The key goal of this joint effort is to help criminal justice authorities worldwide acquire the statistics on cybercrime and electronic evidence by providing good practices and recommendations. Statistics enable the authorities to shape effective policies and operational responses. This guide lays out the agenda for compiling criminal justice statistics with key steps for data collection, analysis and cooperation among multiple stakeholders.
“Well-defined statistics produced in collaboration with criminal justice authorities will not only provide valuable insights into the changing environment, but also strategic indicators for measuring the effectiveness of policies and activities,” said Alexander Seger, Head of the Cybercrime Division of the Council of Europe.
“How countries approach cybercrime and electronic evidence at the national level has a real impact on available options on global cooperation. It also serves as the cornerstone for developing tailored operational responses to reduce the global impact of cybercrime,” said Craig Jones, INTERPOL’s Director of Cybercrime.
INTERPOL and the Council of Europe will continue to cooperate to enhance the ability of criminal justice authorities worldwide to tackle cybercrime and encourage international cooperation in collecting and analyzing electronic evidence.
Leave a comment ,

IoT Security: ENISA Publishes Guidelines on Securing the IoT Supply Chain

Agency News, Industry News
The European Union Agency for Cybersecurity (ENISA) is releasing its Guidelines for Securing the IoT – Secure Supply Chain for IoT, which covers the entire Internet of Things (IoT) supply chain – hardware, software and services – and builds on the 2019 Good Practices for Security of IoT - Secure Software Development Lifecycle publication by focusing on the actual processes of the supply chain used to develop IoT products. This report complements the Agency’s seminal study on Baseline Security Recommendations for IoT, a highly cited and referenced work that aims to serve as a reference point for IoT security.
Supply chains are currently facing a broad range of threats, from physical threats to cybersecurity threats. Organisations are becoming more dependent than ever before on third parties. As organisations cannot always control the security measures of their supply chain partners, IoT supply chains have become a weak link for cybersecurity. Today, organisations have less visibility and understanding of how the technology they acquire is developed, integrated and deployed than ever before.
In the context of the development of the Guidelines for Securing the IoT – Secure Supply Chain for IoT, the EU Agency for Cybersecurity has conducted a survey that identifies the existence of untrusted third-party components and vendors, and the vulnerability management of third-party components as the two main threats to the IoT supply chain. The publication analyses the different stages of the development process, explores the most important security considerations, identifies good practices to be taken into account at each stage, and offers readers additional resources from other initiatives, standards and guidelines.
As in most cases pre-prepared products are used to build up an IoT solution, introducing the concept of security by design and security by default is a fundamental building block to protect this emerging technology. The Agency has worked with IoT experts to create specific security guidelines for the whole lifespan of IoT devices. These guidelines to help tackle the complexity of IoT focus on bringing together the key actors in the supply chain to adopt a comprehensive approach to security, leverage existing standards and implement security by design principles.
Leave a comment , ,

UK and partners condemn GRU cyber attacks against Olympic and Paralympic Games

Agency News, Cyber Security CII sector, Industry News
The UK exposed malicious cyber activity from Russia’s GRU military intelligence service against organisations involved in the 2020 Olympic and Paralympic Games before they were postponed.
The activity involved cyber reconnaissance by the GRU targeting officials and organisations involved in the Games, which had been due to take place in Tokyo during the summer.
The incidents were the latest in a campaign of Russian malicious activity against the Olympic and Paralympic Games, with the UK also today revealing details of GRU targeting of the 2018 Winter Olympic and Paralympic Games in Pyeongchang, Republic of Korea.
The National Cyber Security Centre (NCSC), a part of GCHQ, assesses with high confidence that these attacks were carried out by the GRU’s Main Centre for Specialist Technologies (GTsST), also known as Sandworm and VoodooBear.
Details were released after the US Department of Justice announced criminal charges against Russian military intelligence officers working for the GRU’s cyber unit for conducting cyber attacks against the 2018 Winter Games and other cyber attacks.
The Foreign Secretary Dominic Raab has issued a statement making clear that the Russian government cannot act with impunity.
Paul Chichester, the NCSC’s Director of Operations, said:
“We condemn these attacks carried out by the GRU and fully support the criminal charges announced today by the US Department of Justice.
“These attacks have had very real consequences around the world – both to national economies and the everyday lives of people.
“We will continue to work with our allies to ensure that we are the hardest possible target for those that seek to cause disruption and harm in cyberspace.”
In the attacks on the 2018 Games, the GRU’s cyber unit attempted to disguise itself as North Korean and Chinese hackers when it targeted the opening ceremony. It went on to target broadcasters, a ski resort, Olympic officials and sponsors of the games.
The GRU deployed data-deletion malware against the Winter Games IT systems and targeted devices across the Republic of Korea using VPNFilter.
The NCSC assesses that the incident was intended to sabotage the running of the Winter Olympic and Paralympic Games, as the malware was designed to wipe data from and disable computers and networks. Administrators worked to isolate the malware and replace the affected computers, preventing potential disruption.
Leave a comment

Flood exposure and poverty in 189 countries

Industry News, Water sector
Natural disasters are estimated to cause an average of over $300 billion in direct asset losses every year; this estimate increases to $520 billion when considering the well-being (or consumption) losses experienced by people (Hallegatte et al. 2017). While each country faces its individual set of natural hazards – including cyclones, earthquakes, or wildfires – floods are one of the most common and severe hazards to disrupt people’s livelihoods around the world. Especially in lower income countries where infrastructure systems – including drainage and flood protection – tend to be less developed, floods often cause unmitigated damage and suffering. Recent events, ranging from Bangladesh and Nigeria to the United States and Vietnam, illustrate that the threat is a global reality. Not only rare and major floods, but also smaller and frequent events can revert years of progress in poverty reduction and development. In the coming years, land subsidence, rapid coastal urbanization, and climate change are bound to result in increasing exposure of people and their livelihoods.
A new report findings suggest that :
The exposure of people to flood risk is substantial: We find that 2.2 billion people, or 29 percent of the world population live in areas that would experience some level of inundation during a 1- in-100 year flood event. About 1.46 billion people, or 19 percent of the world population, are directly exposed to inundation depths of over 0.15 meter, which would pose significant risk to lives, especially of vulnerable population groups.
Of the 1.47 billion people who are exposed to flood risk, 89 percent live in low- and middle-income countries. 132 million people are estimated to live in both extreme poverty (under $1.9 per day) and in high flood risk areas.
While flood risks are global, East and South Asia stand out: Flood risks are a near universal threat, affecting people in all countries covered in this study – albeit at different scales. The largest number of flood exposed people live in East and South Asia (1.36 billion people). In several subnational areas of East and South Asia, more than two-thirds of the population is exposed to significant flood risks.
When considering poverty among the flood exposed population, risks are largest in Sub-Saharan Africa. At least 71 million people in Sub-Saharan Africa are estimated to live in both extreme poverty (using a $1.9 a day definition) and significant flood risk – thus making them particularly vulnerable to prolonged adverse impacts on livelihoods and well-being. Globally, between 132 million and 587 million poor people are exposed to flood risks (depending on which poverty definition is used). About 1.2 billion flood-exposed people live in lower- and uppermiddle-income countries.
These findings are based on high-resolution flood hazard and population maps that enable global coverage, as well as poverty estimates from the World Bank’s Global Monitoring Database of harmonized household surveys.
Leave a comment

EU Agency for Cybersecurity launches ISAC in a BOX Toolkit

Agency News, Cyber Security CII sector, Industry News
The EU Agency for Cybersecurity launched an ISAC in a BOX an comprehensive online toolkit to support the establishment, development and evaluation of Information Sharing and Analysis Centres (ISACs).
European legislation, such as the Cybersecurity Act and the NIS Directive (NISD), promotes the creation of European and National Information Sharing and Analysis Centres (ISACs). ISACs are private public partnerships (PPPs) between stakeholders exposed to similar cybersecurity vulnerabilities and threats and they are usually formed by private sector initiative, in particular operators of essential services of the critical sectors. ISACs collect, analyse and disseminate actionable threat information to their members and provide them with tools to mitigate risks and enhance resilience.
ENISA’s task is to support the creation and development of ISACs and advise them to strengthen their cooperation, build trust and exchange information using tools and mechanisms that are beneficial for all parties. ENISA participates and offers advice and expertise in several European initiatives regarding the development of ISACs through:
- Connecting Europe Facilities (CEF) call for ISACs as a technical advisor;
- Inter-EU ISAC platform as a facilitator;
- European Energy (EE) ISAC as a member;
- European Financial (FI) ISAC as secretariat;
- European Maritime (EM) ISAC as a member;
- European Rail (ER) ISAC as a member.
Objective and description of the toolkit
ENISA developed this comprehensive toolkit, following studies on the ISAC concept, to address the need to facilitate community building and collaboration across ISACs. The toolkit aims at providing practical guidance and the means to empower industry to create new ISACs and to further develop already existing ones.
The main success factors for ISACs are Trust and Sharing. If there is trust, information will be shared and added value will be created - ISAC in a BOX follows the same approach. It is divided in four phases and contains all activities, documents and tools needed to start, develop and evaluate an ISAC. Each phase includes the basic elements that need to be fulfilled to go to the next phase.
- Build phase: It’s all about setting the goals, participants and purpose for the ISAC; agreeing on the budget and the right cooperation mechanisms.
- Run phase: Governance is key to share information through meetings and develop trust and building capacities among the ISAC participants.
- Evaluation phase: Evaluation is an essential part of the ISAC lifecycle which helps to keep it on track, measure its impact and assess its momentum in order to bring it to the next phase.
- Develop phase: Time for action! This phase focuses on enhancing ISAC’s sophistication, its further development and outreach strategies.
Leave a comment

SAFECOM and NCSWIC Address Communications Dependencies on Non-Agency Infrastructure

Agency News, Industry News, Power/Energy/Oil & Gas sector, Telecomms sector, Transport sector
The world of emergency communications can be astoundingly complex, especially as additional capabilities and services become necessary to successfully deploy, maintain, and protect communications systems. Many agencies rely on multiple third-party entities to provide these capabilities, including provisioning of critical system infrastructure, cybersecurity, and other services. For example, agencies readily rely on commercial vendors for subscriber units or on commercial utilities for power supply. An agency and its contracted non-agency entities alike are vulnerable to events that threaten the uptime, continuity of services, operations, or resiliency of communications. Regardless of how unpredictable these events may be, agencies can take steps to be prepared when those disruptive events occur.
Using the depth of experience among their members, SAFECOM and the National Council of Statewide Interoperability Coordinators (NCSWIC) have published a white paper―Public Safety Communications Dependencies on Non-Agency Infrastructure and Services—outlining several techniques to prepare throughout the communications system lifecycle for challenges associated with such dependencies, as shown in the graphic.
Given the potential for disruptive events impacting non-agency partners, public safety stakeholders—including system administrators, public administration officials and decision makers, and other communications personnel—might benefit from understanding the potential complications or obstacles they may face when depending on outside sources for infrastructure or services.
To learn more about this document and other helpful resources, visit cisa.gov/safecom/technology
Author: Ted Lawson, Cybersecurity and Infrastructure Security Agency (CISA), Joint SAFECOM and NCSWIC Technology Policy Committee Federal Lead
Leave a comment

Ransomware Activity Targeting the Healthcare and Public Health Sector

Agency News, Cyber Security CII sector, Industry News

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.

CISA, FBI, and HHS have released AA20-302A Ransomware Activity Targeting the Healthcare and Public Health Sector that details both the threat and practices that healthcare organizations should continuously engage in to help manage the risk posed by ransomware and other cyber threats. The advisory references the joint CISA MS-ISAC Ransomware Guide that provides a ransomware response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans.

CISA, FBI, and HHS are sharing this information in order to provide a warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats. CISA encourages users and administrators to review CISA’s Ransomware webpage for additional information.

Leave a comment

How UN collaboration is shaping the concept of 'Circular Cities'

Industry News, Transport sector
“Extending a lifespan or increasing utilization over that lifespan,” says Okan Geray, Strategic Planning Advisor for Smart Dubai. “These are the two key elements of circularity – create another life, or a life delivering more value.”
Applying this thinking to the workings of a city reveals a broad scope of opportunity to achieve ‘Circular Cities’, explains Geray.
Geray leads the Thematic Group on Circular Cities within the United for Smart Sustainable Cities Initiative (U4SSC), an initiative supported by 17 United Nations partners with the aim of achieving Sustainable Development Goal 11: ‘Make cities and human settlements inclusive, safe, resilient and sustainable’.
“The guide is a world first. Outlining the wealth of opportunity to build circularity into cities, the guide presents a more holistic view of circularity than the now well-established idea of Circular Economy,” says Geray.
“The resulting concept of Circular Cities offers a new way of thinking about not only economic aspects of cities but also their social and environmental dimensions.”
< Download the 'Guide to Circular Cities' free of charge >
Guiding cities from evaluation to action
The Guide provides a ‘circular city implementation framework’ for cities to define the best course of action to improve circularity.
It outlines a four-step methodology for cities to assess opportunities for circularity, prioritize the opportunities capable of delivering the most value, catalyze associated circular actions, and evaluate the impacts of these actions.
“The first stage is all about baselining, almost a checklist for cities to take stock of where they stand today and where they aim to go,” explains Geray.
The Guide begins by mapping all of the ‘assets and products’ found in a city to provide a high-level categorization of opportunities for circularity.
It proceeds by highlighting the ‘circular actions’ that cities could apply to these assets and products, actions including sharing, recycling, refurbishing, re-using, replacing, and digitizing.
It highlights the ‘outputs’ resulting from circular actions, outputs such as more energy-efficient buildings, a longer lifespan for water resources, or more inclusive uses of public spaces.
The Guide also highlights the wide range of ‘enablers’ that cities can apply to catalyze these actions.
“These enablers are potential policy tools to stimulate circular actions,” says Geray. “These enablers might include, among others, Key Performance Indicators, R&D programmes, public-private partnerships, training and capacity building, and financial incentives for circular actions.”
Leave a comment

NCSC Update Guidance on Principles for the design and build of in-house Public Key Infrastructure (PKI)

Agency News, Industry News, Power/Energy/Oil & Gas sector, Telecomms sector
A private Public Key Infrastructure (PKI) is used to confirm the identity of users, devices and services hosted or connected to privately owned infrastructure.
This is an essential component of any system that uses a private PKI for authentication, as such it must be designed and built with great care.
This guidance provides a set of high level architectural design principles which can be used to design, scope or review a private PKI architecture.
Fur further details visit NCSC >> 
Leave a comment ,
1 41 42 43 44 45 54