WSIS Action Line C5: Building trust and confidence in the use of ICTs
1/1
B U I L D I N G T H E I N F O R M A T I O N S O C I E T Y
Doc.: ALC5/2007/Microsoft
14 May 2007
2
nd
Facilitation Meeting for WSIS Action
Line C5 : Building confidence and
security in the use of ICTs
Original: English
CONTRIBUTION TO MEETING
"Critical Information Infrastructure Protection : Insights on
Strategic Frameworks for Partnership and Risk Management"
submitted by
Microsoft
FOR INFORMATION
K E Y S E C T I O N S
CIIP Capabilities
2
National Framework
2
Regulatory Issues
3
Risk Management
3
Information Sharing
4
Emergency Plans
5
Terms
5
of a nation's economy rely
upon it, government and
private sector should work
together to develop collabo-
rative Critical Information
Infrastructure Protection
(CIIP) frameworks for pre-
vention, detection, re-
sponse, and recovery.
The CIIP risk management
framework presented in this
paper is based on Micro-
soft's experience in work-
ing with governments, in-
frastructures, and large
enterprises to address a
broad spectrum of infra-
structure challenges. The
process presented in this
paper synthesizes these
unique experiences and also
builds off of our previously
published risk management
guides for operations and
security.
Governments are increas-
ingly aware of the role criti-
cal infrastructures play in
supporting the overall econ-
omy and security of their
nations. While definitions
may vary slightly, critical
infrastructures are generally
thought of as the key sys-
tems, services and functions
whose disruption or de-
struction would have a
debilitating impact on pub-
lic health and safety, com-
merce, and national secu-
rity or any combination of
those matters. These in-
clude communications,
energy, banking, transporta-
tion, public health and
safety and essential govern-
ment services. It is essen-
tial that countries at all
stages of development plan
for and develop policies
that will enable them to
provide reasonable assur-
ance of resiliency and
security to support key
national missions and
economic stability.
The infrastructures
described above are
often thought of as
physical assets such as
bank buildings, power
plants, trains, hospitals
and government offices.
These physical ele-
ments rely upon an
often unseen critical
information infrastruc-
ture and key functions
(CII/KF) to actually
deliver services and
conduct business. Over
the past two decades
rapid advances in informa-
tion services and communi-
cations technologies have
enabled many traditionally
separate infrastructures to
integrate and automate. The
ubiquity and importance of
information and communi-
cations technology (ICT)
are increasingly recognized
as a discernable cross-
cutting "critical information
infrastructure" upon which
all other infrastructures
depend. In some sense, the
CII/KF are more complex
to identify than more estab-
lished infrastructures such
as electric power, because
it
is composed of systems,
processes and services that
are not readily identifiable
is the way physical ele-
ments are. However, be-
cause virtually all elements
Establish Transparent
Policy Goals
Define Roles and Re-
sponsibilities
Leverage Public--
Private Partnerships
Create Capabilities
for Prevention, Detec-
tion, Response and
Recovery
Implement an Inte-
grated Risk Manage-
ment Framework
Adopt Responsible
Disclosure Practices
I N S I G H T S O N S T R A T E G I C F R A M E W O R K S F O R
P A R T N E R S H I P A N D R I S K M A N A G E M E N T
C R I T I C A L I N F O R M AT I O N
I N F R A S T R U C T U R E P R O T E C T I O N
May 2007
Assess Risks
Identify
Controls and
Mitigations
Implement
Controls
Measure
Effectiveness
Government
"What's the goal"
Determine Acceptable Risk Levels
Infrastructure
"Prioritize Risks"
Public-Private Partnership
"What's critical"
Operators
"Best control solutions"
Define Policy and Identify Roles
Figure 1: Overview of CIIP Roles and Responsibilities
I N T R O D U C T I O N A N D C O N T E X T
C R I T I C A L
S U C C E S S
F A C T O R S
Prevention �
The application of a continuous set of risk
management activities and practices that
reduce vulnerability to attack, improve pre-
paredness, mitigate possible damage and
promote resiliency in the delivery of service.
Detection �
Software and service security that enables
system operators to identify attacks. It also
includes enterprise policies for responsibly
identifying and disclosing of vulnerabilities to
vendors who can address them appropriately
and mitigate potential damage to the broader
ecosystem.
Response �
The internal practices for analyzing and re-
sponding to cyber incidents that just impact
one enterprise as well as the coordination of
incident response activities between and
among government and private sector enti-
ties.
Recovery �
The plans, protocols, and processes for orga-
nizing the recovery and reconstitution of CII.
Establishing a successful
national Critical Infrastruc-
ture Information Protection
(CIIP) framework requires a
great deal of coordination,
cooperation, and collabora-
tion from both government
and non-government enti-
ties. Governments will each
approach CIIP differently
based on many different
factors including the type of
political system, geographic
concerns, existing regula-
tory environments, and
unique technical challenges.
The Swiss Center for Secu-
rity Studies publishes a very
helpful International CIIP
Handbook: An Inventory
and Analysis of National
Protection Policies which
provides a detailed over-
view of approaches to secu-
rity policies relevant to
CIIP. Despite the many
differences in how countries
approach and organize for
security, there are four basic
capabilities that are com-
mon to effective CIIP pro-
grams, including preven-
tion, detection, response
and recovery.
A vital part of CIIP capa-
bilities also includes well
understood responsible
disclosure policies and
practices. Responsible dis-
closure means that when a
vulnerability is uncovered
that a organization (public
or private) reports it directly
to the vendor of the prod-
uct so that it can be cor-
rected before an exploit is
developed. Responsible
disclosure practices reduce
risks to CII and improve the
broader ecosystem. security
E F F E C T I V E C I I P P R O G R A M C A P A B I L I T I E S
A COLLABORATIVE FOUNDATION FOR A NATIONAL FRAMEWORK
To build a collaborative and
cooperative CIIP program
there needs to be transpar-
ency about expectations and
intent of the national effort.
This can be established by
(1) clearly defining CIIP
policy goals, and (2) defining
the roles and responsibilities
of the various governmental
entities and how they will
work partner with private CII
owners and operators.
Clearly Define Policy
Goals
In general a CIIP policy
statement (1) recognizes the
importance of CII to the
nation, (2) identifies the risk
it faces (usually an all-
hazards approach), (3) estab-
lishes the CIIP policy goal,
and (4) broadly identifies
how it will be implemented,
including through partner-
ship with the private sector.
National CIIP frameworks
should not be immutable
policies. Instead, they should
be flexible and able to re-
spond to the dynamic risk
environments of information
Page 2
Table 1 : Sample Roles and Responsibilities
Title
Primary Responsibility
CIIP Coordina-
tor (Executive
Sponsor)
Leads activities associated with developing and managing national CIIP efforts, including coor-
dinating policy development, outreach and awareness, risk assessment and management
efforts, funding and support for the CIIP program efforts. This role is usually filled by a lead
government agency, an interagency committee, or a cabinet official. This role also serves as an
important escalation functions for resolving important issues and emergencies.
Sector
Specific
Agency
A government agency that is responsible for coordinating the national-level risk management
process for a particular sector such as banking or communications. The role generally includes
working with infrastructure operators to assess risks, define mitigations, identify security con-
trols, and collaborate with infrastructure operators to understand the overall effectiveness of the
CIIP risk management program.
Law
Enforcement
Preventing, investigating, and prosecuting various aspects of cybercrime including malware
writers, hackers, and organized attackers that intend to steal information or compromise the
integrity of critical operations.
Computer
Emergency
Response
Team
Responsible for interacting with government agencies, industry, the research community, and
others to analyze cyber threats and vulnerabilities, disseminate reasoned and actionable cyber
security information such as mitigations to the public, as appropriate.
Infrastructure
Owners and
Operators
Is responsible for tangible and intangible assets to the infrastructure or infrastructure elements
that they own and/or operate. Operators prioritize business assets; analyze levels of impact to
assets; define acceptable risk levels; and implement control solutions to manage/mitigate risks.
Public-Private
Partnerships
Comprised of representatives from sector-specific agencies, infrastructure operators, and other
key stakeholders, the partnership is responsible for collaborating on risk assessment and miti-
gation strategies.
IT Vendors
and Solution
Providers
Provide products and services which are critical to the information infrastructure operators and
the general participants in the national economy. They provide strategic insights on architec-
ture, security, operations and risk management. Additionally, they provide patches and mitiga-
tion in the face of attacks.
C R I T I C A L I N F O R M A T I O N I N F R A S T R U C T U R E P R O T E C T I O N
infrastructures. CIIP frame-
works should establish pol-
icy goals and not set techni-
cal mandates or regulation.
By establishing clear policy
goals government agencies
and non-government enti-
ties can work together to
achieve the stated goals in
the most efficient manner.
Delineate Roles and
Responsibilities
Protecting the critical infor-
mation infrastructures is a
shared responsibility with
both government and the
private sector performing
important roles. Success-
fully coordinating a national
CIIP program depends upon
establishing clear roles and
responsibilities. Like any
large enterprise risk man-
agement program, a CIIP
program requires cross-
group interaction and segre-
gated responsibilities. Fig-
ure 1 provides an overview
of the roles and responsi-
bilities of the public and
private sector CIIP entities.
The breadth of information
infrastructure dependencies
means that CIIP cannot
generally be assigned to a
single governmental
agency. Rather a series of
agencies are likely to play a
role. For example, the
agencies responsible for law
enforcement, defense, com-
merce, communications and
banking will all perform
unique roles and likely
interact with different parts
of the information infra-
structure.
Because of the need for
interagency collaboration
and work with the private
sector, it is important to
establishing a lead Ministry/
Department, committee or
senior official to act as the
overall "CIIP Coordinator"
and executive sponsor. The
CIIP Coordinator can lead
outreach and awareness
efforts to build consensus
and highlight the shared
responsibility in managing
information infrastructure
risk. The CIIP coordinator
is ultimately accountable
for ensuring that there is an
overall process in place for
defining acceptable risk and
developing guidance or
identifying practices to the
participants in the CIIP
program, including govern-
ment and private sector
entities. Other key roles
include, but are not limited
to sector specific agencies,
such as those responsible
for banking, energy, com-
munications, etc, and the
infrastructure operators.
Outlining the high-level
relationships can be helpful
in thinking about the overall
organization of a national
CIIP effort. Figure 2 pro-
vides a notional organiza-
tional approach.
As countries begin to estab-
lish or expand their respec-
tive CIIP efforts it is impor-
tant that government and
private sectors have an open
dialogue to discuss what
information infrastructure
elements, critical functions,
and key resources are
needed to deliver essential
government services, ensure
orderly functioning of the
economy, and providing
public safety.
Prevention, detection, re-
sponse and recovery are
essential capabilities for a
CIIP program to succeed.
These capabilities are not
necessarily discreet disci-
plines. Rather, they are a
continuous application of
risk management activities.
Identifying and Priori-
tizing Critical Infra-
structures
The information infrastruc-
ture � including both com-
munications and IT services
� is composed of many
different pieces including
physical and cyber ele-
ments, processes, and peo-
ple that directly support
operations (i.e. a major
peering point, undersea
cables, or international
switching system). In addi-
tion there is a complex
value chain that supports
B U I L D I N G C I I P C A P A B I L I T I E S W I T H R I S K
M A N A G E M E N T
Page 3
U N D E R S T A N D I N G
T H E R E G U L A T O R Y
C H A L L E N G E
Regulation does not provide an easy
answer for improving CIIP. First, CIIP
strategies must be dynamic, flexible,
and quick to change � slow moving
regulatory frameworks can seriously
impede agility and responsiveness
necessary for addressing crisis situa-
tions and the rapid technologies that
define today's operational environ-
ments. Second, CIIP can actually re-
duce security by diverting resources
and lowering standards because infra-
structure operators may only conform
to the minimal regulatory require-
ments. Third, CIIP requires a detailed
understanding and integration of other
risk-informed regulatory frameworks
and dependencies extant in other na-
tional industry sectors (i.e. power/
energy).
Developing economies can leverage
CIIP efforts to promote reliance and
security in their national infrastructure.
By emphasizing transparency and ac-
countability, rather than obscure regu-
latory regimes, countries can better
drive investment, innovation and ac-
countability needed to build a trusted
critical information infrastructure.
C R I T I C A L I N F O R M A T I O N I N F R A S T R U C T U R E P R O T E C T I O N
Figure 2: Overview of Possible CIIP Relationships
the direct operations. These indirect infrastructure support elements include
electric power, water, software, hardware, and others. In addition to the
traditional notion of infrastructure there may be certain "key functions" that
government and economy rely upon. These functions could include proc-
esses like routing, internet content, broadcast delivery etc. Disruptions of
these key functions could have an immediate and debilitating impact on the
ability of a nation to perform essentials missions.
Once identified, the critical infrastructure and key functions can be priori-
tized or ranked as to which is most important and in what context. It is
important to remember that the notion of "criticality" is very situation-
dependent and what could be critical in one instance may not be critical in
the next. It is important that, as nations identify and prioritize critical infra-
structure and key functions, they understand that these will change with
technology, infrastructure, and process enhancements.
Fostering Risk Management and Resiliency Planning
The "Protection" of critical infrastructure and key functions is the continu-
ous application of a series of risk management practices that enable opera-
tors to reduce risks and ensure resiliency across their essential missions.
Individually information infrastructure providers generally have sophisti-
cated risk management methodologies and practices because of the real-
time nature of the services they deliver. However, the interconnectivity,
interdependence, and technical complexity of the information infrastructure
limit the ability to easily assess the overall risk or readiness of the sector.
As a result, there is a significant benefit to leveraging public-private part-
nerships to assess the shared dependencies and infrastructure risks (natural
disaster, technological failure, terrorists attack, etc.).
There is often a great deal of tension as to what type of risk management is
most appropriate for CIIP. Within the context of particular infrastructure
operations both the quantitative and qualitative approaches can provide
valuable insights to decision makers and risk managers. However, both of
these methods have draw backs that diminish their effectiveness for CIIP
analysis.
By combining the simplicity and elegance of the qualitative
approach with some of the rigor of the quantitative approach,
CIIP risk analysis can be conducted in effective and efficient
manner. This hybrid approach can be reduced to a four-part
process.
Assessing Risk: This phase, combines aspects of both quanti-
tative and qualitative risk assessment methodologies. A quali-
tative approach is used to quickly triage the entire list of secu-
rity risks. The most serious risks identified during this triage
are then examined in more detail using a quantitative approach.
The result is a relatively short list of the most important risks
that have been examined in detail.
Identifying Controls and Mitigations: Stakeholders identify
and select potential controls and mitigations for managing the
risks indentified during the assessment phase. Once identified,
the controls are evaluated to determine if they (1) meet func-
tional requirements, (2) the extent to which they reduce risk,
and (3) their direct and indirect costs and benefits. Finally, a
mitigation strategy is selected.
Implementing Controls: Infrastructure operators implement
controls (management, technical, operational) and leverage
people, processes and technologies for a holistic solution. De-
fense-in-depth solutions are used to spread risks and reduce the
possibility of compromise or disruption.
Measuring Effectiveness: This phase is used to verify that the
controls are actually providing the expected degree of protec-
tion and to watch for changes in the environment such as new
business applications or attack tools that might change the
organization's risk profile. Sometimes scorecards are use to
track progress.
Creating mechanisms for information sharing
Information sharing is often needlessly hard and complicated.
The key to successful information is trust. Trust in the people,
the organization, the process and the intended use of the data.
Trust is very fragile. While taking a long time to build it can be
shattered with on inappropriate or mishandled piece of data. As
such it is important CIIP efforts start with small and manage-
able exchanges of data and dialogues. Continued collaboration
over extended periods will ultimately drive the identification
and sharing of the right amount of data at the right time. Addi-
tional information sharing protections can also be created
through the use of non-disclosure agreements.
One of the most important things that government and industry
can collaborate on is the creation of a situation center or a re-
sponse center. This is a joint facility where the appropriate
personnel and subject matter experts from both industry and
government can locate to work on analytical challenges or
manage incidents. Situation centers provide an opportunity to
build the depth of personal trust that necessary to begin the
sharing of relevant data between organizations.
Page 4
C R I T I C A L I N F O R M A T I O N I N F R A S T R U C T U R E P R O T E C T I O N
Figure 3: Overview of CIIP Risk Management Framework
Building indications, warning and analysis and
response capabilities
Effectively assessing the threats and evaluating the effectiveness
of prevention and response requires public-private information
sharing and analysis. Government and industry have unique skills
in this space. While government can possess strong threat analy-
sis skills it often lacks of critical infrastructure subject-matter
expertise that can impede accurate understanding of threats.
When government does create relevant threat analysis for CIIP, it
may not be able to share the information with appropriate private
sector people in a timely manner to prevent damage. Collaborat-
ing on a "joint analysis" of CIIP risks could create a baseline
understanding of the threat environment and inform risk-based
decisions. In order to develop a joint analysis there are a series of
interim steps to take:
Expand and enhance existing private sector information-
sharing mechanisms as clearinghouses for information to
and from critical infrastructure owners and operators;
Establish or modify existing government entities to enable
more analytical and information fusion capabilities focused
on CIIP;
Identify short-term collaborative analysis projects to build
trust and establish process and gradually move to more stra-
tegic CIIP analysis.
The results of this analysis will be fed back into the risk assess-
ment efforts previously described.
Establishing and exercising recovery plans and
programs
The relevant public and private sector organizations should de-
velop plans for how to jointly respond to and manage emergen-
cies � including recovering critical ICT functions -- in the event
of significant incidents, including but limited to natural disasters,
terrorist attacks, technological failures or accidents. Developing
emergency response and recovery plans that allow for rapid coor-
dination and management of incidents can prevent escalation of
problems and also mitigate damage.
Effective and efficient emergency response plans are generally
short and highly actionable so they can be readily tested, evalu-
ated, and implemented. The value of well-drafted emergency
response plans is that they can be integrated into everyday opera-
tions and help contribute to an overall culture of security and
readiness.
Public-private partnerships can also be leveraged to test and exer-
cise emergency plans. Such exercises promote trust, understand-
ing and greater operational coordination. Exercises also provide
and important opportunity to identify new risk factors that need
to be addressed in response plans or controlled through regular
risk management functions.
T E R M S & D E F I N I T I O N S
Page 5
Asset. Anything of value to an organization, such as hardware and software
components, data, people, and documentation.
Availability. The property of a system or a system resource that ensures
that it is accessible and usable upon demand by an authorized system
user. Availability is one of the core characteristics of a secure system.
Control. An organizational, procedural, or technological means of managing
risk; a synonym for safeguard or countermeasure.
Cost-benefit analysis. An estimate and comparison of the relative value
and cost associated with each proposed control so that the most effec-
tive are implemented.
Defense-in-depth. The approach of using multiple layers of security to
guard against failure of a single security component.
Exploit. A means of using a vulnerability in order to cause a compromise of
business activities or information security.
Exposure. A threat action whereby sensitive data is directly released to an
unauthorized entity .
Impact. The overall business loss expected when a threat exploits a vulner-
ability against an asset.
Integrity. The property that data has not been altered or destroyed in an
unauthorized manner.
Mitigation solution. The implementation of a control, which is the organiza-
tional, procedural, or technological control put into place to manage a
security risk.
Qualitative risk management. An approach to risk management in which the
participants assign relative values to the assets, risks, controls, and
impacts.
Quantitative risk management. An approach to risk management in which
participants attempt to assign objective numeric values (for example,
monetary values) to the assets, risks, controls, and impacts.
Risk. The combination of the probability of an event and its consequence.
Risk assessment. The process by which risks are identified and the impact of
those risks determined.
Risk management. The process of determining an acceptable level of risk,
assessing the current level of risk, taking steps to reduce risk to the ac-
ceptable level, and maintaining that level of risk.
Threat. A potential cause of an unwanted impact to a system or organization.
Vulnerability. Any weakness, administrative process, or act or physical expo-
sure that makes an information asset susceptible to exploit by a threat.
C R I T I C A L I N F O R M A T I O N I N F R A S T R U C T U R E P R O T E C T I O N
For Additional Information Please Contact:
Randy Ramusack, United Nations Technical Advisor, [email protected]
Paul Nicholas, Security Strategist Trustworthy Computing, [email protected]