Tackling cyberthreats, championing cyberpeace
newsmaker SINGAPORE--Africa has been on Datuk Mohd. Noor Amin's mind of late, yet it has little to do with the ongoing FIFA World Cup tournament in the south.
Having been to the northern part of Africa recently to engage the public and private sectors on cybersecurity, the chairman of the International Multilateral Partnership Against Cyber Threats (Impact) is keenly aware of the continent's potential for technological progress and the challenges that accompany the developments.
The country, he noted, is at a turning point as submarine cabling is bringing massive capacity to the Internet. At the same time, African governments recognize IT as a very powerful medium to uplift the literacy and standard of living in their countries and therefore are very open to new technologies. However, if security is not in the picture, a lot more safe havens for cybercriminals could spawn in Africa and result in more Nigerian-type scams.
In an interview with ZDNet Asia last week, on the sidelines of a security conference organized by IDC, Amin spoke candidly about Impact's work in the last two years and his concerns over cyberwarfare.
Impact has been around for just over two years now. What would you consider as significant milestones achieved by the organization?
Impact has been undertaking lots of different activities under different categories. The ITU (International Telecommunication Union) has 191 member states, but because we're a new entity with constraints in terms of resources, we're not able to launch our services to all 191 countries at one go. So we have adopted a phase approach.
Currently, there are more than 44 countries for which we have started deploying cybersecurity services, and loosely translated, these services could mean capacity building like training, workshops and seminars. It could also mean scholarship grants and access to our Global Response Center, which is currently the richest threat information database in the world. Or it could mean consultation to governments on the enactment of cyber laws.
I think the milestone is really being able to deploy cybersecurity support and services across more than 44 countries around the world.
What would you say is the biggest misconception the public and private sectors have about Impact and its work?
The type of organization we're trying to build with Impact is unprecedented--there's no model for it. That's why we had to take the CDC (Center for Disease Control) model from the medical field and translate it for Impact. The first misconception was that because it was first initiated by the Malaysian government and headquartered in Malaysia, it is a Malaysian government initiative. It is not; it is a U.N.-backed initiative. It was a multilateral initiative from the start--it was never meant to be a local domestic initiative. We spent a lot of time explaining that multilateralism is even in our name...so that was the first hurdle we had in approaching governments.
The second hurdle was that some governments thought it was a regional--Southeast Asian or Asian--initiative. Again, that was wrong. We deliberately went out of our way to stress the international aspect of Impact. We felt that regional initiatives are always a good start, but [they] cannot be the answer. If you look at the list of top 10 countries being attacked, and the top 10 sources of attacks, you will see that the attacks come from all over the world. So if you have a regional solution, you will not be able to address this issue holistically. That is why Impact has to be known as an international platform.
Speaking of the name Impact, it was originally called the International Multilateral Partnership Against Cyber-Terrorism but later the "T" was used to refer to threats. Why the change and what significance does this have?
When Impact was first initiated, the focus was on cyberterrorism because the concern of governments was that attackers could manipulate critical infrastructure and cause huge damage not just to the economy, but possibly also to life and limb. This is especially true for countries that are very well-connected in terms of infrastructure. Countries like the U.S. and even Singapore that are highly automated and very advanced in terms of IT are at particular risk.
When we had the launch of Impact at the World Congress of IT in May 2008 with 27 governments present, we sought feedback from the ministers and industry leaders on our advisory board who were present. That was incidentally the largest-ever ministerial-level gathering focused on cyberthreats to be organized. The ministers and industry leaders came out very strongly with the recommendation that we should perhaps look at not just cyberterrorism, but to expand our ambit to look at cyberthreats. Obviously, cyberterrorism would be a subset of cyberthreats. They felt that [by] having the involvement of a huge number of countries from all over the world for the first time, we could really build an effective platform for governments to address not just cyberterrorism, but [also] other aspects of cyberthreats. In fact, the recommendation came from the Singapore minister that the "CT" in Impact should be changed from cyberterrorism to cyberthreats. The ministers and advisory leaders concurred.
What frustrates you most being the leader of such a big global coordinating cybersecurity agency?
The frustration lies in the fact that we're not able to do as much as we like to do. Our mandate is huge--we're charged with assisting 191 countries. Unfortunately, given our limited resources, we have to phase our activities. So there are still countries we are not able to reach out to immediately. Cyberthreats do not work that way--they will harm the entire global community at one go.
You have spoken before on the need for governments to establish dedicated cybersecurity agencies in each of their own countries. To date, how would you assess those efforts and how do you convince every single country to do so?
The recommendation to have an agency that brings all the different stakeholders under one roof comes from the observation that in many countries, particularly the big economies in the world where the government is a big bureaucracy, there are many different departments, agencies or ministries having overlapping roles. This makes it difficult and challenging to address cyberthreats because there are turf issues and wars. So, the ideal situation is to have all these stakeholders under one roof because it makes it easier to build capacity--to train them. It makes it easier to manage the domestic policy because there are no conflicting interests.
We applaud that governments in the U.K. and Singapore, for instance, have started to do this. It's still too early to say whether those one-stop agencies are doing an effective job, but I see no reason why they shouldn't if they are properly implemented, because they will have multidisciplinary people all under one roof with a common aim. For us at Impact, it makes our job so much easier because we do not have to deal with multiple stakeholders in a particular country.
From Impact's point of view, we obviously would like to see governments seriously evaluating the idea, and if they think it is appropriate, to implement this as soon as possible. But having said that, there are countries which will not necessarily require such an agency because they are small, bureaucracy is not an issue or they may already have a de facto one-stop center to deal with cybersecurity.
The organization's intent is to work with governments around the world to assess their security posture, using, for example, the customized Government Security Scorecard. Can you share more about the pilot in Malaysia and where the scorecard can eventually be extended to?
There are two aspects to assessments. One is the country-wide assessment, which we've been undertaking together with the U.N. and ITU in many countries around the world. We started with Afghanistan at the request of the U.N. a couple of months ago. Impact sent a team to study and assist the Afghan government on its cybersecurity readiness. The country has issues pertaining to the use of the Internet to radicalize the young people into extremist activities. We made some recommendations and a lot of them are currently being implemented by the Afghan government. Following that, we had other cybersecurity readiness exercises in Africa and Asia, and we will be rolling out more depending on requests from governments.
The pilot in Malaysia saw the introduction of an automated tool--an electronic dashboard--that measures the compliance level of different administrative units against the set IT policies of that particular government. In Malaysia's case, the government has adopted the ISO 27000 as the benchmark standard. Impact worked with Symantec to implement a tool similar to the one the vendor implemented for the U.S. government, to benchmark the compliance level of one agency in Malaysia. We saw that it became an extremely useful tool for the Malaysian government to see where the areas of compliance were best and where they were lacking. This helped the agency to make an educated assessment of where its vulnerabilities may lie, and also to make a plan of action to close these vulnerabilities.
We strongly feel this is a tool that will benefit the rest of the world--it's not the only tool, but it's a good start. There's always a tendency by governments to have beautiful policies bound in leather but sitting on the shelf, and whether or not anyone is compliant to those policies is anyone's guess. So, by having these automated tools, governments can see in real time whether their people are complying with their own policies. The important thing to stress is that this tool does not introduce new policies; it benchmarks entities against each government's policy.
Impact recently signed an MOU with the Commonwealth Telecommunications Organisation (CTO). What is the significance of this tie-up and how will it help Impact in its work?
The Commonwealth is quite an established institution and covers both the developed and developing parts of the world. Besides going through channels like the U.N., ITU and Interpol, it's always useful to include additional channels to reach out to governments. Some governments may have a better relationship with the Commonwealth, the EU (European Union) or APEC (Asia-Pacific Economic Cooperation). Some [may] have a better relationship with the U.N. So with new partnerships, we find that we enhance our ability to reach out to countries because we use the best available means.
There have been concerns around the use of cyberwarfare. How do you manage tensions with different governments, especially when one party initiates cyberwarfare or threatens another country with it? What role does Impact have to play then?
It worries me because, frankly, that is a big challenge. Cyberwarfare is a relatively new area and potentially the most important area of conflict there is to come. Today, militaries around the world equip themselves with cyberskills both as a defensive and offensive measure. Many currently see cyberwarfare as a legitimate means of military action. The jury is still out on whether it is something that is lawful or not, but...there is no escaping the fact that countries are equipping their military with such skills.
Our role is a complex one, and we feel it is first of all to promote what the ITU Secretary-General terms as cyberpeace. One of the focus areas of the next cybersecurity summit is also to expound on this concept as a U.N. and ITU initiative, where perhaps down the road--not today, not tomorrow, but significantly down the line--there will be an acceptable code of conduct on what is do-able and what is not. Currently, we are far away from that because the Internet itself is a relatively new medium. If you talk about the Vienna Convention and the Warsaw Convention, it took decades for us to reach an agreement. I suspect it will take some time also for countries to come to an agreement on cyberwarfare, but until then our task is first of all to promote cyberpeace as well as to get the dialog going on this.
It's not impossible to manage relations between different countries; it is not impossible for countries of different ideologies and beliefs to be on the same table--we see it every day in the U.N. Security Council. Opposing countries are able to sit together--they may not agree, but at least they are at the table and engaged in the dialog. Impact's role will be to replicate that as far as the cyberworld is concerned.
On a scale of 1 to 10, where 10 is the best and 1 being the worst, how would you rate the global fight against cyberthreats?
I wouldn't be able to rate it 5, I'll probably rate lower than that. Yes, we've come a long way and we've done a lot--individual countries are beginning to realize what cyberthreats are-- but we still have a long way to go before countries can benefit from the true sharing of information and build their individual capacity to deal with cyberthreats.
The problem is magnified when you think about it: you need only one country which is not as well-equipped to serve as the safe haven for attacks and criminal organizations. We have well over 200 nations around the world--it is impossible given the current resources to ensure that every country has iron-tight, airtight or watertight policies, laws and measures taken. But what's important is that progress is being made. Hopefully, with institutions like Impact, the U.N. and ITU can reach out to countries more effectively and address this as a global issue.