Sri Lanka CERT|CC puts cyber security in national spotlight

Thursday, 2 October 2014 00:02 -     - {{hitsCtrl.values.hits}}

By Kiyoshi J Berman The 7th Annual National Conference on Cyber Security kicked off yesterday at the BMICH, highlighting some key challenges as well measures taken locally and globally to address the threats. Several foreign and local experts shared key insights at the conference attended by local as well as overseas delegates from several parts of the world. The Chief Guest was Minister of Telecommunications and Information Technology Ranjith Siyambalapitiya. Kuek Yu-Chuang, Vice President and Managing Director Asia Pacific, Internet Corporation for Assigned Names and Numbers (ICANN) and Raymond Goh, Senior Regional Director and Systems Engineer at Symantec spoke at the inauguration ceremony. The event was organised by Sri Lanka Computer Emergency Readiness Team | Coordinating Centre (Sri Lanka CERT|CC), which is part of the ICT Agency (ICTA). Sri Lanka CERT|CC is mandated with the protection of information and information systems in Sri Lanka. Its services range from responding to and investigating information security breaches, to preventing security breaches by way of awareness creation, security assessments and security capability building The conference was part of the broader Cyber Security Week 2014 starting from 1 October. It consists of technical workshops, a hacking challenge, and an information security quiz for university students. There will also be an electronic and print media campaign to educate the masses on information security, in addition to other side events for law enforcement personnel and the legal profession.   Cybercrime Welcoming the participants, ICTA Chief Executive Officer Reshan Dewapura said that cyber threats are real and briefly highlighted the steps all can take to prevent and mitigate this ever-growing threat.  He mentioned that the number of cyber attacks is constantly growing, thus increasing the loss incurred by companies due to cybercrime. “Cybercrime affects the very base of social wellbeing of the general public today. The light of these realities does not just affect the citizens but the very functioning of the national economies. Each state’s contribution to fighting cybercrime becomes very important,” he said. Further he highlighted that “there is no country, no state in this stage of cyber terrorism that can remain indifferent or unresponsive to this threat. The joint action of government and citizens as a whole cohesive force can be built against cybercrime. Creating alliances, sharing experiences and building unified alliances across jurisdictions across borders are the key things to be done in this important and challenging endeavour.” Concluding his speech, Dewapura also pointed out that annual conferences such as this can go a long way in achieving the goal of fighting cybercrime.   Sri Lanka and IT Chief Guest Minister Ranjith Siyambalapitiya in his speech focussed on the importance of conducting conferences on cyber security and shared his view on where Sri Lanka stands in terms of Information Technology. He pointed out the initiatives that have been taken so far by the Sri Lankan Government. He mentioned that the sole aim of President Mahinda Rajapaksa is to empower every citizen through information technology. Similarly the President has also entrusted to the Ministry the responsibility of protecting the future generation from the malignant influences of the internet and Information Technology. He mentioned that it is important to carry out this dialogue and awareness-creation at a village level as well. He further explained that President Rajapaksa believes Information and Communication Technology is the driving force that brings about development. The Government has fast-tracked the country’s massive socioeconomic progress in different sectors during the past 10 years. Moreover, the e-Sri Lanka initiative has made and active contribution towards this and the Government intends to develop every sector in the future under the ‘Smart Sri Lanka’ initiative, uninterruptedly leveraged by Information Technology. The rural Information Technology project ‘Nenasala’ won the prestigious Bill and Melinda Gates Award for the ‘Best Information Technology Project in the World’ this year. Similarly, Sri Lanka jumped 41 places in the e-Government Development Index this year. In 2012 it was at the 115th place out of 193 countries but now it is at 72nd place. Detailing more about Sri Lanka’s achievements in the area of IT, he stated that Sri Lanka has secured the prestige of being the best country in the world in Business Process Outsourcing (BPO). Further, there are many examples that can be citied on how Sri Lanka has made optimum use of Information Technology in every field. The Government has taken every step empower services in the sectors ranging from health, education to communication. Since the Government used effective and efficient strategies with regard to Information Technology, today ICT literacy has increased up to 50%, he emphasised.   Dealing with problems He then moved on to speaking about how Sri Lanka has dealt with the problems that arise with the use of Information Technology. He made it clear that the Government is not only implementing programs to increase computer literacy and to provide services online but has also taken action to ensure security of digitised information. The Minister outlined why the country needs the service and skills of Information Technology and security experts in this country. He proudly expressed that the policy of the Government is not to limit online freedom on the pretext of ensuring security. In fact, President Rajapaksa believes in freedom, as he is credited with ending the era in which the freedom was limited due to the cruel terrorism. For instance, the several unfortunate incidents that took place due to the misuse of social networks like Facebook caused agitation in the country. This also led to suggestions that Facebook should be banned in Sri Lanka. However, the Government handled the situation wisely and concentrated on spreading awareness on the responsible usage of such sites, instead of banning them. Through this incident it was made clear that the Government does not believe in restricting freedom in the name of security. “1 October is Children’s Day and in my view a great day to hold this conference, as children are our future,” he commented. Siyambalapitiya extended his gratitude to Sri Lanka CERT for bringing together various professionals through this dialogue “for protecting our future generation from the negative influences of social media and websites, while protecting the cyber space through knowledge and awareness creation”. ICANN Internet Corporation for Assigned Names and Numbers (ICANN) Vice President and Managing Director Asia Pacific Kuek Yu-Chuang in his keynote address explained what ICANN does. “We are the body that maintains the global domain names system and we coordinate the allocation of IP addresses. We are moving on to devices beyond computers. The devices that you have in your hand are given a unique IP address that belongs to a unique domain name, in order for information to travel. With the collaboration of technology and the adoption of the technologies which changes the way we communicate, security is becoming one of the utmost issues in the digital world,” he said. He reminded the audience about the ICANN’s capacity development program around the world, which also involves working very closely with SLCERT, while also mentioning the workshops where network security and specifically DNS deployment will be focused on. “I would like to talk about the broader, more strategic issues beyond security. For the security specialists today this is an important part of ICANN’s work and indeed, of maintaining the security, stability and resiliency of the internet. The interoperability of the internet is one of our core mandates because at the end of the day internet is a network of networks” he said. He also mentioned that this year a Boston Consulting Group was commissioned to do a global study for ICANN and it was found that digital involvement can bring about as much as 2% of GDP growth, to individual countries when looking at sources and engines of growth. “If you take the domain name industry, it’s a fairly modest three billion dollar industry worldwide. At ICANN we have around 1,010 accredited registrars around the world who work with end-users and consumers to make sure domain names are available to end users,” he said. “Another thing we are interested in is the internationalised domain name arena. Most people tend to think that the domain name industry is static and does not change much,” he added.   Domain name industry developments He further explained the upcoming changes in the domain name industry. “Recently we have made it possible for domain names to be available in local languages. A month ago I was in Delhi with an Indian Minister to launch the dot in (.in) in Devanagari script. I think there is a great case for building more domain names in Sinhala, Tamil and other local languages as we do now in Cyrillic, Arabic, Chinese and Korean. As we get into the digital bandwagon, we continue to celebrate local languages and build local content on the internet. “We are also on the cusp of a new change in this industry. Two weeks ago we worked with the New South Wales Government of Australia for the launch of dot Sydney (.sydney).  As it joins other global cities like Tokyo, London and New York to have its own domain name on the web, we prepare for the new generic top-level domains. Likewise, we are excited to think about the possibilities that are available to Sri Lankan companies, organisations or even the city of Colombo.” Talking more about the changes made by and within ICANN, he said: “The global internet arena is undergoing a massive change. For ICANN, we are starting to move away from the contractual relationships with the US Government so as to become a global organisation. Last year we also broke up our headquarters in Los Angeles to have three global hubs in Singapore, Istanbul and LA. The objective of doing this was to make sure the communities around the world are more engaged in the policy making process of ICANN.” Kuek expressed his thoughts about why it was important for him to visit Sri Lanka on this occasion. He said he has come with the hope of having conversations with those such as the country code top-level domain operators, dot lk (.lk). Additionally, to discuss other things that can be done together such as growing the global domain name industry and implementing projects to improve the accessibility to the internet in Sri Lanka as well as to help with local language preservation.   Cyber security At the inaugural session, Symantec Senior Regional Director and Systems Engineer Raymond Goh made a presentation titled ‘Cyber Security: Re-imagined for today’s digital world’. He recapped the historical events from the steam train to aircraft and so forth, in order to set the context of how technology has changed our lives and promoted economic growth and development. “I remember using my PDA, called the Palm, a long ago and I can tell you that today technology has advanced in terms of the convenience it brings. For example, I went through my slides on my smart phone. I also place a lot of my information on a cloud and one of my colleagues asked me if I’m not afraid to do so. The thing is this, with technology you have to weigh between the convenience and flexibility versus the concerns and the distress technology brings,” Goh said, underlining what security means on a day-to-day basis. “Obviously to everything there is a dark side. Today there are very intelligent individuals who are very focused on stealing information. The most recent news about exploits was the Bash Shellshock. What is the reaction of most people to vulnerability? Is it ‘I’m secure, I’m protected and I know what the risks are and the potential implications and I know how to mitigate those risks’ or ‘let’s shut down everything, close everything up’?” To explain his point further, he posed another question: “In the case of Facebook, there are many incidents where cyber bullying has occurred. It has moved from traditional bullying to cyber bullying, so is this a case of technology rearing its dark side or is it a matter of moving from the traditional culture in to the digital culture.” Goh also expressed a few ideas about challenges faced by organisations and how to respond to them pragmatically. “Economic development would not be possible if not for these advancing technologies. Cyber security needs to be re-imagined; we cannot secure information in a traditional sense. You can’t easily lock up information on a mainframe somewhere, it needs to be available,” he pointed out. It seems that the hackers are ahead of the game, because they don’t say no.  They are always looking at innovative ways in which to exploit organisations’ and individual’s information, he said He explained to participants the main aspects of security – integration, intelligence and insight. Yesterday or historically integration was disconnected and today it is connected. Speaking of the intelligence aspect, he said: “When you put people to take care of your security and every single day nothing seem to go wrong, it gives a sense of complacency and ignorance. This is what happened in the breach at Target. There wasn’t enough intelligence information to say what’s actually going on. Firewalls, email gateways, server logs and patch management solutions can give a rich set of information but these need to be put together to derive useful conclusions about your security status and whether or not your systems are vulnerable. The key is the collaboration between technology partners to share information about the risks and threats to information so that you are able to stay ahead of cybercriminals, he added. The conference also saw presentations by Microsoft Chief Information Security Officer Pierre Noel focusing on "Are we secure in the cloud environment"; Securmatic Inc, Candada Co-Founder and Chief Operating Officer Ranjika Manamperi who spoke on "Why a Security Operations Centre should be a key element of cyber security mitigating strategy"; and British Telecom Director Information Security Advisory Services Hoo Chuan Wei whose presentation was titled "Are you ready for cyber security." The afternoon saw a panel discussion on "Cloud computing: Is it here to stay" with MillenniumIT Head of Security Business  Rahal Jayawardene as the moderator and Noel, Ted Egan, Raymond Goh and Sujit Christy in the panel. ThreatMetrix Co-founder and Vice President Ted Egan made a presentation of "Next generation cyber security - Global Trust Intelligence." Evening session presentations included Check Point Software Technologies Senior Security Consultant Kapil Awasthi - Cyber security in today's scenario; JPCERT Coordination Centre's Taki Uchiyama on global collaboration against cyber crime, and Ceylon Linux Director Gayan Suranda De Silva on mobile application security and Layers-7 Seguro Consultoria Ltd Director and governance, risk and compliance professional Sujit Christy spoke on cyber security in 21st century of Sri Lanka.Sri Lanka CERT|CC CEO Lal Dias made the closing remarks. Pix by Lasantha Kumara