KICTANet's Input into the proposed Critical Infrastructure Bill
The Secretariat, Director Programmes & Standards, ICT Authority Telposta Towers, 12th Floor, Kenyatta Avenue, P. O Box 27150-00100 Nairobi. critical@ict.go.ke Kenya ICT Action Network (KICTANet)’s input into the proposed Critical Infrastructure Bill Acknowledge ICT is a tool that is critical for operations and hence requires specialized attention: availability, integrity and confidentiality. Starting point: Have criteria for defining what critical ICT infrastructure is. Distinguish between critical ICT infrastructure (Registry, content delivery networks) and traditional critical infrastructure. Question if there is need to put transport and energy infrastructure on Internet and if so, how is it protected? Anything put on the internet is vulnerable. Acknowledge that business models of ICT companies are different from the traditional models of non-ICT critical infrastructures such as energy utilities and industrial control systems. They require more maintenance and upgrades that translate into much more investments. How do we ensure we have scalable and resilient critical infrastructure? In the past we have seen government institutions invest in white elephants, sending them back to the procurement room before the system goes live. Consider the need for expertise to deal with and protect the infrastructure (developers focusing on software security and information security professionals specializing in critical infrastructure). Consider cybersecurity but avoid raising fear, uncertainty and doubt. Avoid any type of strategy that hacks back. Hacking back will not fix broken infrastructure, and the attribution problem makes it very hard and sometimes impossible to find the real source of attacks. Focus on defense and resilience. Need to have websites running latest versions of software including security updates otherwise we will continue to experience this: https://www.google.com/#q=%22hacked+by%22+site:go.ke. There should be a big focus on identifying XP use and migrating away from XP usage in government and critical infrastructures. Management questions 10. Who manages critical infrastructures? 11. Should the government own/manage/handle infrastructures like the NOFBi? 12. Which infrastructure can the government outsource? Which infrastructure is a security threat to outsource? Who are trusted partners for outsourcing? 15. What is the value of investment in NOFBI while there is no last mile connectivity? Should the NOFBI operator be able to go the long haul and provide last mile services to all intended recipient(s) of the service? 16. What levels of approvals are there (change management) for any change to happen in a critical internet resource? (Just last month, a misguided change at KENIC affecting DNSSEC affected the entire .ke domains for a whole day. No domain was accessible). 17. How is the security and integrity of PKI maintained? 18. How are the counties managing ICT county specific infrastructure and what capacities exist at that level? Roll out/ Rapid Response questions 19. How fast can we rollout, upgrade, and repaired our fibre optic infrastructure? (There has been a deliberate systematic plot to ensure there are no ducts on wayleaf to pull fibre optic cable within minimum time, and cost effectively). 20. Can we vet the software that runs on and support critical infrastructure? We have had cases of defective and compromised firmware, and compromised software that has payloads executed at certain times by malicious actors. Which software and hardware do we trust? Can we audit this software? 21. What is the role of standards? ( ISO 27000 series Standards on Information Security and the ISO 20,000 series on Service Management). Regulation vs Legislation and questions regarding scope 22. Is it necessary to have an Act on critical infrastructure considering the dynamism and complexity of ICT? Would a few amendments under the KICA 2013 not suffice?23. Would it perhaps not be useful to have separate acts or regulations for critical internet infrastructure on the one hand, and critical infrastructures like (power and transport) connected to the internet on the other hand? The two types of critical infrastructure are related but require different and specialized approaches.24. The development of a critical infrastructure policy framework should precede the bill to contextualize the Critical Infrastructure bill. The policy framework should also have an implementation framework, a result of which could be the development of a law. Before the development of the policy it may be necessary to conduct a study and expert consultation on the matter that includes a review of global best practices.25. The protection of critical infrastructure may be better managed under regulations rather than Bills/Acts. This is because in the fast changing world of IT, what is critical today may not be tomorrow and vice versa. Who would have known five years ago that M-PESA would move beyond just sending money, to becoming a lifestyle for millions of Kenyans aka a critical infrastructure? You don’t manage such issues through hard-wired Acts, but through Regulation. Recommendations on Policy and law The said policy and law should clearly outline: - Definition of what constitutes critical infrastructure. - Distinguish between critical internet/ICT infrastructures and critical infrastructures connected to the internet. - Criteria for identification of CI. - Threat analysis to various CI in Kenya. - Risk management framework for the CI. - Requirement of mandatory minimum protection of critical infrastructure as well as demonstrated assurance through compliance. - Coordination framework (including PPP arrangements, lead coordinating org and perhaps the need for a single body?). - Investigate frameworks for threat intelligence and information sharing between all concerned stakeholders. - Incident reporting mechanisms and investigations of possible requirements for breach disclosure to all affected stakeholders. - Research and development strategies. - Capacity assessment and development. - Funding mechanisms. - Implementation plan. Note: It will be important for institutions (private and public) to meet the law and associated regulatory requirements (Consistent with with the 2010 constitution). In addition, Institutions must integrate their plans with agencies/bodies (e.g. fire, security, emergency, hospitals, etc.) that are critical to effective response. Submitted on behalf of KICTANet by Grace Githaiga, Victor Kapiyo, Barrack Otieno, Mwendwa Kivuva, John Walubengo, Matunda Nyanchama, Alex Comninos and Ali Hussein
Well done GG. Regards On Apr 21, 2015 6:24 PM, "Grace Githaiga via kictanet" < kictanet@lists.kictanet.or.ke> wrote:
The Secretariat,
Director Programmes & Standards, ICT Authority
Telposta Towers, 12th Floor, Kenyatta Avenue,
P. O Box 27150-00100 Nairobi.
critical@ict.go.ke
*Kenya ICT Action Network (KICTANet)’s input into the proposed Critical Infrastructure Bill*
*Acknowledge*
ICT is a tool that is critical for operations and hence requires specialized attention: availability, integrity and confidentiality.
*Starting point:*
1. Have criteria for defining what critical ICT infrastructure is. 2. Distinguish between critical ICT infrastructure (Registry, content delivery networks) and traditional critical infrastructure. 3. Question if there is need to put transport and energy infrastructure on Internet and if so, how is it protected? Anything put on the internet is vulnerable. 4. Acknowledge that business models of ICT companies are different from the traditional models of non-ICT critical infrastructures such as energy utilities and industrial control systems. They require more maintenance and upgrades that translate into much more investments. 5. How do we ensure we have scalable and resilient critical infrastructure? In the past we have seen government institutions invest in white elephants, sending them back to the procurement room before the system goes live. 6. Consider the need for expertise to deal with and protect the infrastructure (developers focusing on software security and information security professionals specializing in critical infrastructure). 7. Consider cybersecurity but avoid raising fear, uncertainty and doubt. 8. Avoid any type of strategy that hacks back. Hacking back will not fix broken infrastructure, and the attribution problem makes it very hard and sometimes impossible to find the real source of attacks. Focus on defense and resilience. 9. Need to have websites running latest versions of software including security updates otherwise we will continue to experience this: https://www.google.com/#q=%22hacked+by%22+site:go.ke. There should be a big focus on identifying XP use and migrating away from XP usage in government and critical infrastructures.
*Management questions*
10. Who manages critical infrastructures?
11. Should the government own/manage/handle infrastructures like the NOFBi?
12. Which infrastructure can the government outsource? Which infrastructure is a security threat to outsource? Who are trusted partners for outsourcing?
15. What is the value of investment in NOFBI while there is no last mile connectivity? Should the NOFBI operator be able to go the long haul and provide last mile services to all intended recipient(s) of the service?
16. What levels of approvals are there (change management) for any change to happen in a critical internet resource? (Just last month, a misguided change at KENIC affecting DNSSEC affected the entire .ke domains for a whole day. No domain was accessible).
17. How is the security and integrity of PKI maintained?
18. How are the counties managing ICT county specific infrastructure and what capacities exist at that level?
*Roll out/ Rapid Response questions*
19. How fast can we rollout, upgrade, and repaired our fibre optic infrastructure? (There has been a deliberate systematic plot to ensure there are no ducts on wayleaf to pull fibre optic cable within minimum time, and cost effectively).
20. Can we vet the software that runs on and support critical infrastructure? We have had cases of defective and compromised firmware, and compromised software that has payloads executed at certain times by malicious actors. Which software and hardware do we trust? Can we audit this software?
21. What is the role of standards? ( ISO 27000 series Standards on Information Security and the ISO 20,000 series on Service Management).
*Regulation vs Legislation and questions regarding scope*
22. Is it necessary to have an Act on critical infrastructure considering the dynamism and complexity of ICT? Would a few amendments under the KICA 2013 not suffice?
23. Would it perhaps not be useful to have separate acts or regulations for critical internet infrastructure on the one hand, and critical infrastructures like (power and transport) connected to the internet on the other hand? The two types of critical infrastructure are related but require different and specialized approaches.
24. The development of a critical infrastructure policy framework should precede the bill to contextualize the Critical Infrastructure bill. The policy framework should also have an implementation framework, a result of which could be the development of a law. Before the development of the policy it may be necessary to conduct a study and expert consultation on the matter that includes a review of global best practices.
25. The protection of critical infrastructure may be better managed under regulations rather than Bills/Acts. This is because in the fast changing world of IT, what is critical today may not be tomorrow and vice versa. Who would have known five years ago that M-PESA would move beyond just sending money, to becoming a lifestyle for millions of Kenyans aka a critical infrastructure? You don’t manage such issues through hard-wired Acts, but through Regulation.
*Recommendations on Policy and law *
The said policy and law should clearly outline:
- Definition of what constitutes critical infrastructure.
- Distinguish between critical internet/ICT infrastructures and critical infrastructures connected to the internet. - Criteria for identification of CI. - Threat analysis to various CI in Kenya. - Risk management framework for the CI.
- Requirement of mandatory minimum protection of critical infrastructure as well as demonstrated assurance through compliance. - Coordination framework (including PPP arrangements, lead coordinating org and perhaps the need for a single body?). - Investigate frameworks for threat intelligence and information sharing between all concerned stakeholders.
- Incident reporting mechanisms and investigations of possible requirements for breach disclosure to all affected stakeholders. - Research and development strategies. - Capacity assessment and development. - Funding mechanisms. - Implementation plan.
Note: It will be important for institutions (private and public) to meet the law and associated regulatory requirements (Consistent with with the 2010 constitution). In addition, Institutions must integrate their plans with agencies/bodies (e.g. fire, security, emergency, hospitals, etc.) that are critical to effective response.
*Submitted on behalf of KICTANet* by Grace Githaiga, Victor Kapiyo, Barrack Otieno, Mwendwa Kivuva, John Walubengo, Matunda Nyanchama, Alex Comninos and Ali Hussein
_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/otieno.barrack%40gmail...
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.
participants (2)
-
Barrack Otieno -
Grace Githaiga