Bridging the gap between cyber security and human capital

By Hiyal Biyagamage

Human resource or human capital is the greatest asset of an organisation but over the last few years, lack of skilled employees as well as complex information systems have made that greatest asset one of the greatest risks for an organisation, Prof. Mathew Warren, Deputy Director at Deakin University Centre for Cyber Security Research of Deakin University, Australia said recently.

He made these remarks at the fourth EC-Council Cyber Security Summit 2016, co-organised by CICRA Holdings – Sri Lanka’s pioneering cyber security training and consultancy provider – and Daily FT. Addressing the gathering, he explained the importance of building a cyber-receptive workforce within an organisation.

Think like a villain to beat a villain

“An organisation should not only focus on their staff individually but collectively. To face modern cyber threats, you need to develop them in terms of their skills, knowledge and experience. In a cyber-security breach, the organisation’s human capital would react collectively and not become victims of a certain cyberattack. Your human capital should be aware of what is going on in the cyber sphere and polish their skills on different technology changes as new threats loom.”

Prof. Warren explained the complexity of modern systems that runs inside organisations has become a major point of bringing many cyber security risks and threats, due to the low capacity of skilled and knowledgeable employees. 

“All of a sudden, the systems that your employees need to protect have become much more complex. Your organisation might have several information systems, scalar systems or control systems which controls key industrial activities. It will be more challenging for the employees if your system is a part of country’s critical infrastructure or a platform that collaboratively functions with several other companies. Organisations have invested millions of dollars in high-level automation systems to accelerate their processes but they bring so many security risk and security threats because organisations don’t hire capable employees to operate these systems or they tend to invest less in training employees,” said Prof. Warren.

Global statistics show that 75% of cyber incidents against critical infrastructure are all intentional, said Prof. Warren. “The main reason for this is devices which haven’t been properly configured according to proper security protocols. People have various devices to enter into systems but they are not knowledgeable or poorly trained on how to use these devices. In many cases, employees are not aware of security issues, which is becoming a greater issue for organisations. You are very proud of the human capital but the question is how many of them would actually survive in a cybersecurity disaster,” he said to the audience.

Overtime, organisations want to improve their security. According to Gartner’s Security Maturity Model, organisations are looking at developing from a stage of reacting to cybersecurity threats in an ad-hoc manner to having properly placed cybersecurity policies, security controls and situational awareness. However, Prof. Warren said that this could happen the other way. Depending on how your employees react to new types of threats, a maturity of an organisation gets decreased, which is a potential threat for the future. 

Developing human capital

He talked about how organisations could develop its human capital. “Organisations can always recruit people but this is where the problem lies. Are they the best people? Do they have the skills and knowledge? Organisations also have issues when their long-time employees go and join the competition. Will you lose all your secretly-kept information? Will you be able to find the perfect person to replace him or her? The time of impact is also important. Inside a boardroom, resolution for a problem will be discussed but the question is how fast you could resolve it. Can you resolve your issue today? It would take time for many companies to implement strategies and it takes time to train and recruit correct people. The time is the issue that we all face in regards to cybersecurity.”

Pulling out some global stats again; Prof. Warren said that CISCO publically told the Australian Government that there is a global shortage of million cyber security specialists and professionals. Symantec CTO Michael Brown has also revealed that by the year 2019, there is going to be about a 17 million shortage of cyber security professionals. In terms of human resources, cyber security is becoming a huge issue and companies are finding it hard to acquire skilled employees to protect their systems, said Prof. Warren.

“CISCO has identified that G20 countries lose 1% of their GDP per year due to cybercrime activities. For Australia, that would be an estimated 17 billion dollars. From an economic point of view, that is a huge loss.”

He explained about Australia’s 2016 cybersecurity strategy which talks about a natural cyber partnership between the government and industries, strong cyber defences, global responsibility and influence by sharing expertise with other countries, growth and innovation. The aim is to growth cybersecurity industry in Australia and become a cyber-smart nation. The Australian Government is looking to promote science, technology, engineering and mathematics from school level and also looking at introducing cybersecurity professional studies through universities. Competitions and internships will be used as mediums to further promote cyber security throughout the country. The total spending for the entire initiative is a thumping A$ 230 million which equals to Rs. 25,550 million.

“What you are seeing globally is that countries are realising that they are having problems. Sri Lanka is the same. When you put up policies to face these threats, it should be always a crystal clear partnership between the government and industries. I was very impressed by the measures which Sri Lanka is taking to protect the country from cybercrimes and building links between industries and the government,” said Prof. Warren.

Prof. Warren further talked about the transformation from information security to cybersecurity. “It is about protecting entire functions within an organisation, rather than focusing on organisation’s technology aspects. When we talk about cyber skills, it is not just about technology skills. Understanding technology is important but organisations now want their IT employees to understand Office of the Council of Europe security from a policy perspective as well. Organisations now need people who would understand the human aspect of security and develop awareness programmes so that they could explain certain elements to non-technical employees.”

“One of the interesting aspects of global security is that it is a global job. It means that I could work in Australia or I could work in Sri Lanka; you have the ability to move around the world with those cyber security skills. We have also seen a huge salary increase for cyber security professionals as well because organisations are realising that they are not able to attract that human capital easily so they are putting up a big salary for those individuals. The risk is that they may be employing people who do not have the best skills and qualifications. That is going to be a worried issue into the future,” said Prof. Warren.

Capacity building on cybercrime

Delivering the guest speech, Dr. Matteo Lucchetti, Project Manager, Cyber Crime Program, Office of the Council of Europe in Romania talked about building capacities in Sri Lanka to effectively contrast cybersecurity crimes. He used some statistics which he had borrowed from the Sri Lanka Computer Emergency Readiness Team (CERT) to analyse patterns and trends of Sri Lanka.  

“When talking about human capital, we really believe that capacity building, administrating proper education and developing programs which can develop capacities are of importance. If we look at CERT statistics, we can see the increasing pattern of cybercrimes which is a global phenomenon too. Cybercrimes are happening everywhere and they have to be dealt in everyday life. When you look at these statistics, it is evident how cybercrimes spread within the landscape in different names. In 2015, Sri Lanka has seen an evenly-distributed histogram of cybercrime activities which means that public and private organisations as well as individuals have been affected by different types of threats,” Dr. Matteo said.

According to a survey done by CERT in 2015, 35% of the respondents believed that their information is of no use to hackers. This showed that the users were unaware of the value of personal information, especially in the hands of third parties or cybercriminals who could misuse such information in various ways.

He explained the audience about the Budapest Convention on Cybercrime which was formed in 2001. It is the first international treaty seeking to address Internet and computer crime by harmonising national laws, improving investigative techniques, and increasing cooperation among nations. It was drawn up by the Council of Europe in Strasbourg, France, with the active participation of the Council of Europe’s observer states Canada, Japan, South Africa and the United States. 

As of March 2016, 49 states have ratified the convention, while a further six states had signed the convention but not ratified it. Sri Lanka became a fully-fledged member of the convention in September last year, becoming the first to do so in South Asia.

“Sri Lanka ratified the convention on 29 May 2015. Country’s accession to the Convention was the fastest by any country, not least because of its earlier groundwork on international cooperation against cybercrime. This was made through the great collaboration we had with the ICTA who took the lead and paved their pathway to the Convention. Other non-Europe Council countries who have ratified the convention include USA and Australia, whose presence is quite useful when it comes to cybercrime specifications.”

Budapest Convention’s scope is very vast. It addresses criminalising conduct which includes illegal access and interception, data interference, child pornography, misuse of devices; procedural tools such as search and seizure, interception of computer data and international corporation. All these elements bring harmonisation among its members, Dr. Matteo explained.

GLACY and beyond

He spoke about Europe Council’s role in capacity building whereas in 2013, committee ministers decided to open a special office in Bucharest, Romania, in order to support countries worldwide to strengthen criminal justice capacities on cybercrime and electronic evidence. He also spoke about GLACY, a Europe Union/Council of Europe project on global action on cybercrime which was set up to enable criminal justice authorities to engage in international cooperation on cybercrime and electronic evidence on the basis of the Budapest Convention on Cybercrime.

“This was started in 2013 November with a duration of 36 months. The budget for the whole initiative was EUR 3.35 million and Sri Lanka was a priority country as well. Some of the components of GLACY was judicial training, international cooperation, building law enforcement capacities, information sharing and harmonisation of legislation. During last April, we conducted another activity in Sri Lanka where we trained trainers using and introductory course on cybercrime and electronic evidence for the judiciary. Overall, we have done more than 60 projects during 2015,” Dr. Matteo shared with the audience.

Dr. Matteo shared details about GLACY+, a new initiative is to extend the experience of the GLACY project, which supports seven priority countries in Africa and the Asia-Pacific region including Sri Lanka. These countries may serve as hubs to share their experience within their respective regions. Moreover, countries of Latin America and the Caribbean as well as others in Africa may now also benefit from project support. The total investment for the project will be EUR 10 million with a duration of four years. Dr. Matteo said that Sri Lanka will be named as a hub under this project.

“Under GLACY+ framework, Sri Lanka will play the role of a hub for the whole South Asian region. We will look forward to work with Sri Lankan authorities in years to come and all the cybercrime related activities will revolve around Sri Lanka,” Dr. Matteo said.

The initiative will have three main objectives; promoting cybercrime and cybersecurity policies and strategies, strengthening the capacity of police authorities to investigate cybercrime and enable criminal justice authorities to apply legislation and prosecute and adjudicate cases of cybercrime and electronic evidence and engage in international cooperation.

A consistent act for computer crimes

Attending the panel discussion, ICTA Sri Lanka Director and Legal Advisor Jayantha Fernando explained how the Computer Crimes Act will be redefined, after Sri Lanka’s accession to the Budapest Convention.

“In terms of our law is concerned, the Computer Crimes Act No. 24 of 2007 embodies the principles of the Budapest Cybercrime Convention. We have seen the provisions based on the Budapest Convention which means that the defences that are identified in the Computer Crimes Act of Sri Lanka are consistent with the Budapest Convention. What is more important is that the procedure for investigations in the Computer Crimes Act is based entirely on the features of the Budapest Convention. 

“As you know, we need to review the implementation, based on cases heard at various levels and cases tried before the High Court and then evaluate the performance of the law as we go along. We need to also look at how best our law could adapt to growing challenges and threats resulting from offenses committed on the internet. Sri Lanka’s standard so far meets international norms but it needs to do the next step of capacity building,” said Fernando.

Vivek Srivastava, Security Lead – Commercial, India and SAARC for Cisco spoke about how corporates should take on capacity building in cybercrime. 

“When you analyse a threat; the way to stop it would be the way how you respond to it. Then you need to look at how to bring down the effect of the threat. One basic element is that you want less people to be victimised. If you look at the corporate world, they work very closely with governments especially through CSR initiatives. For example, Indian Government has recognised the importance of cybersecurity. We had a discussion with the government and we wanted to something around this subject.

“ We have invested good $ 60 million and we met academies and encouraged them to promote cybersecurity among students. This will focus primarily on building cybersecurity expertise. We are also looking at bringing other corporates so that we could build a pool of resources and expertise. Our aim is to build a cyber-reach, kind of a simulation office which simulates cyberattacks in real time. Corporates do play an important role in terms of capacity building,” said Srivastava said at the panel discussion.

The EC-Council Cyber Security Summit 2016 was co-organised by CICRA Holdings – Sri Lanka’s pioneering cyber security training and consultancy provider – and Daily FT.  Supported by the ICT Agency, the strategic partners of the 2016 Cyber Security Summit were Microsoft and CISCO, the electronic payment gateway was LankaPay, the insurance partner was Sri Lanka Insurance, the creative partner was BBDO Lanka, the printing partner was OfficeMax, the hospitality partner was Cinnamon Lakeside and the electronic media partner was MTV and MBC Radio. Deakin University and EPIC Lanka also extended their support to the Summit.

Pix by Samantha Perera and Nirmala Dananjaya

​

​Data Protection Act implementation looks positive: Jayantha

​Answering to a question from Daily FT about the progress of the Data Protection Act, ICTA’s Legal Adviser Jayantha Fernando said that the implementation of the much-talked act looks very positive with the enactment of the Right to Information Act in the Parliament.

“The discussion has been going on for many years. It also weighs on the discussion associated with the Right to Information. In many countries, we have seen data privacy legislation had to be accompanied with the other side of the coin, mainly the right to information as a principal framework. Having said that, bigger issue to be dealt from a policy perspective which is beyond any of us is the need to have an administrative framework to regulate and monitor data protection norms that are followed in government and private sector,” said Fernando.

He said that Sri Lanka didn’t rush to implement the act in the first place because they were progressively examining how other countries made strides to implement it.

“Over the years, traditionally we have seen the lack of resources being a constraint in setting up infrastructure to implement data protection in many countries across the globe. We were behind and in a way it was good for us because it gave us an opportunity to learn lessons of other judicial boards and recently we saw that the entire EU data protection regime was modified and a new set of regulations were adopted in May 2016. If we had rushed several years ago, we would have been changing a set of statutory models now for data protection.”

In 2014, Fernando admitted that the Data Protection Actwas the only stake that had a gap in implementing. 

“In the legal gamut of things, data protection is the only pillar we have a gap. At the moment, there is no specific law for data protection but there is protection for information in networks that is specifically addressed under the Computer Crimes Act. Very often, people out there who manage networks and collect information from customers are not aware of the fact that putting information into databases and sharing that information while breaching an internal company policy are constituted to offense under the Computer Crimes Act. Having said that; still there is a gap in the data protection and privacy area which is being addressed right now,” said Fernando at that time.

However, the Right to Information Act has opened the platform again for the Data Protection Act and Fernando believes the right time has come for the implementation. 

“I am happy that we waited for a while but now it is the time for us to open the subject again and it is even more relevant because on 5 August, the Right to Information Act (Act No. 12 of 2016) was certified and signed by the speaker. Even that the Right to information Act statute enacted by the Parliament; it also establishes an Information Commissioner’s Office so that there is an opportunity now for us to enter the data protection debate and see what norms and practices in terms of law we should adopt and the institutional frameworks we should bring in. We need to also look whether we could make use of Information Commissioner’s Office to take additional requirements to monitor and implement the act soon,” he said to Daily FT.