Category Archives: Politics

Cybersecurity Agenda – How are we doing in South Africa?

Posted on May 18, 2012 | 1 Comment

Cybersecurity incidents can be costly to the security & economy of any country and the wellbeing of its citizens. Criminal activities tends to move at a lightning speed in line with the improvements brought about by innovation and technology. Unfortunately criminals are members of the same society we live in and not foreign species. At the same time we need to take advantage of the advancement in this technologies to help develop our industries, sustain basic requirements in education-health-public safety-transparency to enhance the competiveness of our country. Security and privacy are one of the efficiency enhancers to achieve this goals.

How does Our Threat Landscape looks like?

In the last two days I had a conversation at the ITWeb Security Summit 2012 (1st Day) – driven by the theme “Reinventing Information Security – where trusted technologies have failed you” and at Joshua West’s 4th Annual Security Conference (2nd Day) – with the theme “Developing Superior Strategies for Evolving Business Security Threats”. This events where held in Sandton and Randburg respectively. My task was very simple…… to share about the Microsoft Security Intelligence Report Vol. 12 with a focus on South Africa ( downloadable #itwebsec deck in pdf) at the Summit and to give insight into  the “Holistic approach in security across all sectors” at the latter event. The events were covered in this articles “SA threat trend on downward slope “ and “Top 10 threats in SA” and the figure below shows the Computer Cleaned per 1000 scanned (CCM) trend for South Africa over the last six quarters, compared to the world as a whole. The MSRT detected malware (Malicious & Potentially Unwanted Software) on 8.1 of every 1,000 computers scanned in South Africa in 4Q11 (a CCM score of 8.1, compared to the 4Q11 (fourth quarter of 2011) worldwide average CCM of 7.1).image

How is our IT Environment?

This events are not happening in isolation to the Cyberspace developments worldwide. The recently announced BRICS Cable – which  is a 34 000 km (Note: SANRAL manages roads of a total 16 700km), 2 optical fibre pair, 12.8 Tbit/s capacity, fibre optic cable system – will be linking Brazil, Russia, India, China and South Africa (the BRICS economies) and the United States. It will interconnect, amongst others, with the WACS cable on the West coast of Africa, and the EASSY and SEACOM cables on the East coast of the continent. This will give the BRICS countries immediate access to 21 African countries and give those African countries access to the BRICS economies. The projected ready for service date is mid to second half of 2014.

cable_map33

See the figure above and read more in “ BRICS Cable Unveiled for Direct and Cohesive Communications Services between Brazil, Russia, India, China and South Africa”. South Africa’s President, Jacob Zuma, encouraged the attendees at a BRICS business breakfast hosted by South Africa to support the project and play their role in fast tracking its execution.

The latest World Wide Worx study on Internet Access in South Africa reported that 8.5-million were using the Internet in SA at the end of 2011 with a total of 7,9 million South Africans accessing the Internet through their cell phones. Undersea cable capacity to SA at end of 2011 was 2,69Tbit/s and will be 11,9Tbit/s & 24,6Tbit/s by the end of 2012 and 2013 respectively. This is good news for access to the internet through availability of devices and hopefully it will enhance ecommerce in South Africa including the rural poor. We are positioned at no. 5 in the Africa’s Top Internet Countries in terms of Internet users (see the figure below).

image

At this point, I’m tempted to look into the occasionally disputed data by the World Economic Forum (WEF) although the reference looks very credible to me. The latest economic report namely “  The Global Competitiveness Report 2011-2012” (GCR) shows that South Africa moved up by four places to attain 50th position this year, remaining the highest-ranked country in sub-Saharan Africa and the second-placed among the BRICS economies, while the ICT related report “ The Global Information Technology Report 2012” (GITR)  noted that South Africa has dropped to 72nd  from 61st position on the Network Readiness Index (NRI).

NRI

image

The figure above shows a comparison of the Network Readiness Index for the BRICS countries including Mauritius and Tunisia. The data is sourced from GITR 2011–2012. SA, counting on one of the most solid political and regulatory environments (23rd) and better framework conditions for entrepreneurship and innovation (50th), is the highest-ranked at 34th within BRICS and in the sub-Saharan Africa region. The NRI position of the 72nd place implies that we are not yet leveraging the potential benefits associated with ICT.

image

The figure above shows the important shortcomings in terms of basic skills availability (101st) in large segments of the population and the high costs (94th) of accessing the ICT infrastructure resulting in poor rates of ICT usage (76th). SA is just two points below India which ranks the lowest in the BRICS community. While  consumers/citizens (117th) usage is a big factor contributing to the ranking in India, both citizens (96th) and the government (89th) are contributing factors in South Africa.

image

The business community (as seen in the figure above) is putting much effort in using ICT and integrating it in a broader, firm-based innovation system (34th). As a result, the economic impacts accruing from ICT are patchy (59th) and the social impacts disappointing (98th). SA ranks the highest followed by the Russian Federation at 89th position within the BRICS community (see the figure below). A report by GSMA “Assessment of economic impact of wireless broadband in South Africa” assessing the direct and indirect impact of mobile broadband show that a 10% increase in mobile broadband penetration is likely to yield an impact of between 1 and 1.8% in GDP.

image

Piracy

Pirated software poses a huge risk for corporations, according to a report from the Business Software Alliance (BSA). Getting corporate users to download malicious programs is one of the most surefire ways for hackers to gain access to your network. Some of these threats come in the form of malware, while others pretend to be innocuous programs. BSA receives tips from IT personnel and other knowledgeable sources through its online reporting form. The article “Media Piracy in South Africa”  which is a part of APC’s work on studying media piracy gives  a good background on the Piracy work in South Africa.image

“If 57 percent of consumers admitted they shoplift — even rarely —authorities would react by increasing police patrols and penalties. Software piracy demands a similar response: concerted public education and vigorous law enforcement,” said Drummond Simpson, Chairperson of the BSA South African Committee. South Africa ranks the lowest at 35% in comparison to the BRICS countries piracy rate (see figure above). The BRIC countries total piracy rate is 70% compare to the European Union which is at 33%. Dealers are encouraged to join the “Clean Network” – a network of dealers who pledges to sell only genuine Microsoft products. A list of these Clean Dealers is available online. “We also encourage consumers and small businesses to arm themselves with information on how to spot counterfeit software by visiting www.howtotell.com,” said Melanie Botha, marketing and operations lead at Microsoft South Africa.

How is our market?

GCR

In 2004 – the GCR report ranked SA at 34 while Tunisia was just 3 points ahead at 31. More interesting is the rise of a country like Mauritius, which is positioned at 53rd (was at 47 in 2004), ahead of the usual African front runner in SA. The BRICS countries rankings are as follows :- Brazil: 65th , Russia: 56th, India: 69th, and China: 51st respectively. The world’s most populous country, China continues to lead the BRICS economies by a significant margin, with South Africa—second among the BRICS.

GCI Efficiency

South Africa benefits from the large size of its economy, particularly by regional standards (it is ranked 25th in the market size pillar). We do well on measures of the quality of institutions and factor allocation, such as intellectual property protection (30th), property rights (30th), the accountability of our private institutions (3rd), and our goods market efficiency (32nd). Our country’s financial market development is ranking at an impressive (4th), indicating high confidence in South Africa’s financial markets at a time when trust is returning only slowly in many other parts of the world. We also does reasonably well in more complex areas such as business sophistication (38th) and innovation (41st), benefiting from good scientific research institutions (30th) and strong collaboration between universities and the business sector in innovation (26th).

Although the infrastructure is good by regional standards, it requires upgrading (62nd). Surely the infrastructure index might improve when the impact of undersea cables filter deep into the country which will also influence technological readiness. At present our Internet users/100 pop is at a very low position of 105th, broadband Internet subscription/100 pop is at 96th and Internet bandwidth, kb/s/capita is at 112th position. Efforts must also be made to increase the university enrollment rate of only 15 percent, which places the country 97th overall, in order to better develop our most needed innovation potential. What disturbs and confuses me at the same time is that: South Africa’s ranks at the very low of 138th in quality of math and science education out of 142 countries and quality of management schools is 13th while availability of research and training services ranks at 47th. Health of the workforce, which is ranked 129th out of 142 economies is another concern the Minister of Health is busy tackling—the result of high rates of communicable diseases and poor health indicators need to be improved.

The  Cybersecurity Agenda, through Training/Human Capacity Development and enhancement of the technological readiness pillar – will have a huge impact on the Financial markets, Business and the Services industry.

OUR Government Agenda?

I should say that these events are happening when South Africa seems to be moving in a positive direction with regards to ICT and InfoSec. We earlier had a positive announcement from the Justice, Crime Prevention and Security Cluster (JCPS) about the Cybersecurity Policy and this was followed by the ICT Colloquium hosted by the Department of Communication (DoC). The essence of the discussion is captured here – The beginning of a beginning –Integrated ICT Policy for South Africa.  DoC then followed up with a workshop on “CYBER SECURITY AWARENESS CAMPAIGN” from the 3rd – 4th of May 2012 and the discussions covered topics from “National Cybersecurity Policy Framework”, “Cyber Crime Challenges faced by ISP’s” to “Law Enforcement challenges and procedures”  amongst others. We are looking forward to the outcomes of the breakup groups on key deliverables like Cybersecurity Hub (National CERT) and National Awareness day/week for SA. On the 8th May 2012, the Hon. Minister Ms Dina Deliwe Pule delivered the Budget Vote of the Department of Communications and put a further emphasis on this issues.

The DoC speech was followed by the Budget Vote speech of the Department of State Security, by the Hon. Minister Dr. Siyabonga Cwele, on the 10th May 2012. He iterated that the Department will continue to ply its trade guided by the theme: “Working Together to Build a Safer Nation in a Secure World.” He reported that the National Cyber Security Policy Framework was approved by Cabinet in February 2012 and this policy should result in improved coordination of government’s response to the 21st century challenges of information security (InfoSec). The State Security Agency (SSA) is coordinating this work across government in order to finalize the policy by 2013. Here is a list of some government driven policies, bills, regulations and acts that are enacted or work in progress and can strengthen the Cybersecurity Agenda.

In Conclusion

As a response to the changing threat landscape today, most governments are looking to establish some form of Cybersecurity strategy.image The model below aims to rationalize the discussion and provide a framework within which to operate. Cybersecurity in this context is viewed fairly broadly and includes not only the classical area of information security but embraces the necessary enforcement and outreach activities as well Download and read this article: “CYBERSECURITY AGENDA: MORE THAN A GOOD HEADLINE

Government Cybersecurity Agenda

  • In line with the supply chain security, when delivering his State of the Nation (SONA), the President called for the screening of all supply chain personnel in government.
  • Upgrading the overall skills (Government Training) at all layers of society and increasing efforts to build affordable infrastructure for all would allow the country to increase its ICT readiness and uptake and, in turn, spread its impacts across society – particularly the rural poor.
  • There is progress in legislation enhancement – are we ready for the cloud?
  • There is progress in the development of Computer Security and Incident Response Team (CSIRT) or Community Emergency Response Teams or Computer Emergency Readiness Team (CERTs) to help address incident response, community awareness, and international collaboration (FIRST) amongst others.

Can we learn and borrow from the long time effective method of immunization (see “The Primary Health Care Package for South Africa – a set of norms and standards”) through clinics? Immunization cards are a condition for acceptance into the first schooling grade for our children in SA. We have also seen how the world has collaborated and won when it came to handing of Influenza’ A (H1N1) virus. In order to improve the security of the Internet, governments and industry should engage in more methodical and systematic activities to improve and maintain the health of the population of devices in the computing ecosystem, These activities include detecting infected devices, notifying affected users, enabling those users to treat devices that are infected with malware, as well as taking additional actions to ensure that infected computers do not put other systems at risk. While the security benefits may be clear, it is important to achieve those benefits in a way that does not erode privacy or otherwise raise concern.

This model will only work if it’s accepted by society and people are assured their privacy is protected. With that in mind, the model must empower people by developing socially acceptable cyber health policies, laws, and international agreements.

imageTo learn more about Microsoft’s proposal, download and read Collective Defense: Applying Public Health Models to the Internet (PDF), in which Microsoft proposes government and industry take action to help mitigate cyber threats today and ensure the long-term health of the Internet as it continues to grow and evolve.

In the mean time – let’s get back to basics and do simple things right. We are doing well with regard to malicious and potentially unwanted software although we are still above world average. We need to bring down the percentage of computers detected with worms. Internet Service Providers (ISPs) can play a big role here (see the paper “The Role of Internet Service Providers in Botnet Mitigation”) and Yes! together we can.

image

Use this tools and update when required:

By the way… this malwares cost us our bandwidth which doesn’t come cheap yet in South Africa.

→ 1 Comment

Posted in Cloud, Cybercrime and Fraud, Education, Identity and Privacy, Information Security, Politics, Technology

Tagged , , , , , , , , , , , , , , , , ,

The beginning of a beginning –Integrated ICT Policy for South Africa

Posted on April 24, 2012 | 1 Comment

On Thursday the 19th April 2012 I attended the National Integrated ICT Policy Colloquium in Midrand, Gauteng Province. South Africa’s Minister of Communications, Dina Pule, officially opened the colloquium where the Department of Communications (DoC) aims to offer industry a chance to review its policies. Policies on information and communications technology (ICT) should be aligned with government’s developmental goals and address the challenges facing the industry, says Communications Minister Dina Pule.

DoC Minister Dina Pule

Pule said the outcome of the ICT policy development process had to be aligned with government’s top priorities of fighting crime and corruption, rural development, improving health and education, and creating sustainable jobs.

“We needed to have this policy review to overhaul all the legislation in our sector such that they reflect the work that the government does and helps this country and industry to benefit from sustainable ICT development and services for the next 20 years,” Pule said.

“We expect to consolidate all policy on broadcasting services in the digital environment; broadband and internet access; spectrum licensing framework for the country’s development; new regulatory areas in all of these; funding and investment; e-skills development; local content development and ICT market growth,” she said. I participated in the commission working on e-Commerce and Digitising Government and I shared the table with an enthusiastic group of young IT Pros.

Policy Requirements

ICT Policy Colloquium should result in the formulation of the White Paper on Integrated National ICT Policy through consolidation of all policies on:

  • Broadcasting services in the digital environment
  • Broadband and internet access
  • Spectrum licensing framework for the country’s development
  • New regulatory areas in all of the above
  • Funding and investment
  • e-Skills development
  • Local content development and
  • ICT market growth.

ICT policy must respond to the government priority of job creation. It must also answer questions that include:

  1. How best can we influence investment in local electronics manufacturing for the future of our country?
  2. How will we ensure that rural connectivity becomes a reality in the roll-out of broadband internet?

There is a  need for technology transfer to help meet the demand for technologies and a need for  fair competition in the market that will lead to the lowering of the costs of communications. As a result, the two day Colloquium boasted six commissions chaired by ICT sector experts. These are:

  • Broadcasting
  • Telecommunications
  • Policy and Regulation
  • e-Commerce and Digitizing Government
  • Investments and Industry Development
  • Local Digital Content

Cybersecurity Agenda

As we start looking into the future, 18 years from now -  we also have the opportunity to look back 18 years. South Africa had a new president in Nelson Mandela with a brand new cabinet. Five years later the new dispensation was brought to the attention of our  ICT environment because of the “Y2K”. The work “From Y2K to Security Improvement: A Critical Transition” captures the essence of security improvement programs (SIP) that were enhanced by the Y2K exercises executed as countries National “Security” Agendas. This was followed by the 9/11 events which also enhanced the disaster recovery plan programs mostly driven by or around ICT.  The work  by Dr Andile Ngcaba on the Policy Framework for South Africa titled “ Digital Life in Buidling a Digital Lifethe Eco-System” takes us back to the pro’s and con’s towards the development of the ICT policy and it should be an important lesson as we begin this journey. Let’s all  look into the security lessons discussed here, with particular focus to the legislation like Data Protection Act, Protection of Personal Information Act (POPIA), Regulation of Interception of Communications Act (RICA), etc. How can they strengthen the new policy  and vice-versa?

The chairperson of our commission, Chose Choeu, challenged me and other InfoSec colleagues on the security considerations towards building an Integrated ICT Policy for 2030. This took me back to the to Policymakers page that help educate policymakers on matters relating to online privacy, safety, and security. Policymaker GuideThe guide, Building Global Trust Online Volume 2: Policymaker Guide to Privacy, Safety and Security, (pdf file) was compiled from extensive work and on-going research by Microsoft teams, as well as consultation with external subject-matter experts. It’s worthwhile to read to facilitate positive and informed contribution.

As a country we need to determine clearly what are key elements in terms of Cybersecurity Agenda. It is a very sensitive issue, which needs to be based on a level of trust between citizens, people in the public and the private sector, within the public sector and within the private sector.  A very common approach is to set Cybersecurity equal to Computer Security or Information Security. The classical security with the goal to secure the information of a government, company or end-user is definitely part of any cybersecurity agenda of any government. However, it cannot and shall not be the end. Cybersecurity is more than “just” IT security. To be successful, it is of outstanding importance to expand a classical Cybersecurity approach from a merely technical and internal policy view to a broader approach covering everything from the technology to critical infrastructure protection to cybercrime prevention and successful prosecution. Only an integrated strategy can lead to a successful cybersecurity agenda.

image

On a high level, the diagram above can be summarized as follows:

  • It has to cover the alignment between social, legal and economical themes. An initiative cannot be successful if it is not socially accepted or economically feasible for the companies having to implement the measures. This has to be embedded in the cultural environment. The challenge there, however, is that a lot of measures have to be designed and implemented globally (like law enforcement collaboration, aligned legislation allowing for efficient work) and therefore some compromises have to be made most probably.
  • It needs to address strategies and policies from supply chain security to government training to internal collaboration to innovation. Typically the training part has to be addressed and so is the supply chain security, even though it might have to be broadened. What should not be missed is the whole notion of innovation. Research and development in the area of cybersecurity with the goal to help the economy grow on the base of a sound and secure environment can be a smart way to help to cover the cost of such and initiative.
  • On such a base, the whole infrastructure can be addressed. Infrastructure being the government’s own infrastructure, the critical national infrastructure and an identity strategy. This is often the area, where a cybersecurity agenda starts and is driven as it is known best (but unfortunately still key concepts are neglected).
  • And this finally lays the foundation for any kind of solution and application.
  • Besides that the governments has to engage with different communities. There is an absolute necessity to collaborate internationally in a close partnership as well as with the private sector and the citizen/consumer of all ages. Not to exclude the security research community.

With such an approach, there is a high probability of successfully working towards the vision of having “citizens, business and government enjoying the full benefits of a safe, secure and resilient cyber space: working together, at home and overseas, to understand and address the risks, to reduce the benefits to criminals and terrorists, and to seize opportunities in cyber space to enhance the country’s overall security, resilience” and economic growth.

This Agenda need a high political will and pressure to make people work together and pull in the same direction. There’s a lot of work going on by the Justice, Crime Prevention and Security Cluster (JCPS) – Let the organised ICT professionals, business, labour and citizens add to this momentum.  

The Programme Director, Themba Phiri, who’s also the DDG: ICT Policy and Development kept on emphasising that we are just beginning and no one should feel left behind.  Any additional comments and/or questions on the process to date as well as your suggestions for the way forward are requested to be send to ictcolloquium@doc.gov.za and web access to commissions/work-streams is here. This particular method of communication is said to be kept open until the end of May. 

→ 1 Comment

Posted in Cybercrime and Fraud, Education, Industry, Politics, Technology

Tagged , , , , , , , , ,