Workshop inside WCC’2015 on Information Security Education & Solidarity – Project IFIP-TC3 / Unesco
The real context … for Nepal
Some Outcomes of the workshop
Element of the Report
Information Security Education & Solidarity
Joint IFIP TC3 and UNESCO Participation Programme
IFIP TC3 Working Conference “Opening our Future Together”
ISES Participation on 5th October, 2015, in Daejeon, Korea
Mr. JaeSuk YUN representing Korea
Mr. JaeDok Shim, representing ICDL Korea
M. Rajan R. Patan, representing Nepal
Serah Francis, representing Kenya
Mr. Penmetsa Murali Krishna, representing India
Moderator: Raymond Morel, IFIP GA and TC3
ISES Session Summary of Daejeon Meeting
Information Security is becoming a global concern for all governments worldwide. This was highlighted by experts from different countries. Most countries have recognized the urgency of developing ICT security policies and strategies but successful implementation requires huge commitment and support from the government and all stakeholders. Lack of funding, commitment, shortage of skills and awareness are just some of the things hindering successful implementation of policies. Advanced countries are already implementing and reviewing their strategies and policies but least developed and developing countries are still lagging behind. Developing a cyber security strategy or policy does not change anything in terms of improving cybersecurity but the real change comes when a government has been able to put the plan into action and have measurements and tools for continues assessment and evaluation. For example, user awareness, R & D, and professional skills development in information security should be every government top priority when allocating funds but research shows that very few countries have dedicated budget for IT security.
Session One: Presentations
The speakers presented current situation in different countries in terms of cybersecurity policy and strategy development and implementation, with an example of how technology trends are pushing enterprises to implement mobile devices without clear policies on how to address the risks. In addition, an education model (ICDL) applicable to all users and workforce both in government and private sector was presented as an example of successful educational model.
Cyber Security Policy in Korea – Mr. JaeSuk YUN
Mr. YUN discussed ICT environment in Korea, trends on cyber-attacks, cyber security policy and implementation. The government of Korea has been very active in promoting cybersecurity for some time, due to security threats from outside the country. Mr. YUN pointed out that a multistakeholder approach led by KISA (Korea Internet and Security Agency) with support from the government has led to the successful implementation of Cyber Security Policy of Korea. With this success Korea is able to share its model with interested countries. Already, the country is cooperating with developing countries in areas such as sharing know-how on incident response, providing cyber security system, training & business opportunities and consulting about cyber security policy & strategy. He also explained how Korea is playing its part in global arena by supporting cyber capacity building for developing countries and sharing practical cyber security knowledge and experience through their practical global cybersecurity center for development & cybersecurity alliance for mutual partnership (CAMP).
IT Security in South Korea – Mr. JaeDok Shim
Mr. Shim explained the importance of Knowledge and Skills and especially in IT Security. He pointed out that ICDL is a worldwide certification offered in most countries. The aim of the program is to promote digital skills as the key enabler of effective use of ICT. He explained that IT Security module sets out concepts relating to the secure use of ICT in daily life and skills used to maintain a secure network connection, use the Internet safely and securely, and manage data and information appropriately. The course is available through National Operators who also engage with private and public sector (e.g. Ministry of Education). The course is widely used and in some countries, the program is funded by the government and offered as an extra curriculum in both primary and higher education. This is an example of a successful model of building knowledge and experience in IT security.
IT Security in Nepal: Issues and Challenges – Mr. Rajan R. Pant
Mr. Rajan pointed out the current status of IT Security: available infrastructure, threats and challenges. He pointed out that internet penetration is growing in Nepal and with this, security threats are increasing. He also pointed out challenges faced by Nepal in the area of Information Security such as lack of Cyber security policy, relevant skills, user awareness, specific cyber laws and lack of urgency from the government among others. With the theme SECURE YOU, SECURE YOUR NATION, Mr. Rajan explained how he is helping his country to be secure. He explained how he has established an organization, Information Technology Emergency Response Team Nepal (ITSERT-NP – www.itsert-np.org) and its role towards the information security. He has also introduced classes for students, training for teachers, guideline for parents and warnings for users in Nepal. He hopes the program will continue offering more support to many users. He emphasised that awareness and education is the best way to make sure many are aware of information security.
Cyber Security Issues & Challenges in Kenya – Serah Francis
Ms Serah Francis discussed on the current status on Cybersecurity in Kenya. She highlighted that there is still a growing concern on the increasing cyber threats in Kenya in spite of the government launching the National Cyber Security Strategy last year. She explained that the government is facing challenges on implementing the policy due to lack of resources, IT security skills and IT Security Awareness in the country among other things. She pointed out that through education and solidarity, countries can help each other in Policy making, legal and regulatory frameworks, designing of Cyber Security Curriculum in academic institutions, designing affordable and accessible training through e-learning and to identify critical technology gaps within the networks in developing countries and how those loopholes can be closed.
The State of Mobile Security in India – Prof. Murali Krishna, Penmetsa
Mr. Krishna presented the findings about the present state of Mobile security in India. He presented his findings on the technological trends, economic trends, socio culture trends and proposed recommendations based on his findings for improvements. From his first findings, he emphasized the need for development of mobile security policies for organization on acceptable and non-acceptable use of applications. Secondly, he recommended organizations to develop BYOD (Bringing your own device) strategy with security functions like password entry, remote lock & wipe and biometrics. Finally, he recommended the need to create mobile security awareness program on use, compliance to policies, loyalty, controls and accountability.
Session Two: Panel Discussion
The panel felt that there is a need to involve more countries in ISES (Information Security Education & Solidarity) to get a clear world view and to share their experiences on cybersecurity. Cyber security is not a one countries or individual problem, all is responsible. The participants felt that Information Security is a clear cut in all entities of IFIP and that there need to be a way on how all can share ideas and experiences.
The questionnaire was discussed and the full report on response should be analysed on the next conference in Seville in November 2015. Raymond to pass and discuss the questionnaire with General Assembly next few days. Mr. Rajan stressed on implementation of different programs of ISES in different countries. For this purpose, he offered to distribute the questionnaire through Computer Emergency Response Teams (CERTs) in different countries to understand the status of information security of those countries to guide us on future plan and objectives. Mr. Raymond explained on the objective and goals of ISES and since we are coming to the end of the year the committee should start preparing the full report for the whole year. Prof. Krishna stressed the need for defining long term objective for project ISES initiative and steps that need taken for the achievement of the objective.
We are promoting information security education by conducting different awareness programs as recommendations provided by speakers and moderator. Next step is to build a website with sufficient information related to information security to support our initiation of ISES.
Cybersecurity challenges in developing countries – Findings
Cybersecurity is one of the most serious economic and national security challenges the world is facing today. Recent media coverage about hacks, data breaches and theft of personal information doesn’t go unnoticed and many governments have taken steps of developing cybersecurity strategies to coordinate measures to protect their critical infrastructure and citizens. Most National Cybersecurity Strategies will have some similar key areas due to the nature of cyberspace. These key areas include legal measures, technical measures, organisation measures, capacity building and cooperation. Comparing these key areas of a country is important to intensify a country’s effort to cybersecurity and to identify the gaps and shortcomings of the strategy.
Unfortunately, most of the National Cybersecurity Strategies don’t live to their expectations. Some strategies are unclear and relatively weak when describing detailed action plans in different areas. Furthermore, many fail to mention the key stakeholders, their responsibilities and how they work together. Cybersecurity is a clear cut in many areas of the government agencies and therefore it is important to mention how the strategy integrates to other areas, but many cybersecurity policies fail to do so. In most cases Cybersecurity strategy or policy is not seen as a core strategy like ICT or defence strategy and therefore, no separate budget is allocated to the process, meaning that many actions could be overlooked due to lack of resources. Evaluation and control metrics to measure performance are not mentioned on many of the cybersecurity strategies. Without these measures a country will not be able to tell whether the strategy is a success or not. Some would argue that cybersecurity is a sensitive issue and therefore not everything should be put on public domain. Unfortunately, this can create problem when it comes to assessing the readiness and cyber commitment of a country, in case of foreign investment. The Governments is also responsible to act to address the growing cyber threats and attacks, hence promoting public confidence and trust in the use of cyberspace. The process of developing a strategy is always the easy part – implementing the plan is always a challenge. National Cybersecurity is no exception: the environment has to be right with key elements and proper funding.
In many developing and least developed countries, cybersecurity has gone from a concern to an issue of pressing concern. This is because these countries are investing large amounts of money to improve digital technology with less attention paid to securing or responding to any attacks on cyberspace. Meaning that most systems and networks in those regions could be vulnerable and exposed to cyber threats and attacks. Africa is becoming an attractive target for home-grown young hackers who want to commit economic fraud and also international criminals wanting to take advantage of the ineffective laws and political instability. The region accounts for 4% of total security incidents worldwide and this figure is expected to rise due to improved internet infrastructure and falling prices. Research has shown that developing nations have poorly secure networks, lack of cyber laws and short of well-trained IT security experts both in private and government agencies. The level of ICT mutuality is still very low compared with other nations in the world and IT Security Education and Awareness is almost non-existence in mainstream academic institutions. Successful development and implementation of a National Cyber Security plan, requires professionals with skills covering all the cybersecurity domains to champion the initiative. Although most of the above mentioned challenges are not only unique to developing countries, there are several factors why many are concerned on the state of cybersecurity in developing countries. Below is a summary of some of the challenges facing policy implementation in developing and least developed countries;
· Lack of Cybersecurity Strategies/Policies and legal & regulatory framework in some countries
· Inadequate fund allocation to cybersecurity ecosystems
· Lack of information security awareness and persistent information security culture
· Insufficient computer literacy and lack of local digital contents especially in rural areas
· Inadequate standards and maturity models for cybersecurity
· Lack of a Child Online Protection Framework
· Lack of basic awareness, information security professionals and skills within government
· Lack of specific sector policies e.g. education
· Resistance to change, especially in public sector
· Reliance on imported hardware and software
· Lack of sector specific R&D programs/projects, especially in education
· Lack of appropriate national and global organizational structure to deal with cyber incidents
In addition, increasing level of internet penetration through mobile devices and fast broadband in developing countries is thought to contribute to increasing attacks from various malicious online agents. To remain competitive on the global market developing countries need to show their commitments in securing the cyberspace. Kenya is an example of a developing country that want to emerge as an ICT hub in East Africa and as such has tried to respond to cyber security threats by emulating other countries. In 2014, the Kenya government developed the National Cybersecurity strategy which aims to define the country’s cybersecurity vision, goals and objectives to secure the nation’s cyberspace while continuing to promote the use of ICT to enable economic growth. Unfortunately, the country has not been able to respond to growing cyber risks in the country. Experts in the region argue that the problem has even gotten worse. Developing a national cybersecurity strategy is one thing but not supporting implementation plans and funding, could be detrimental to their success. Lack of effective cyber laws and regulations, skills shortage, raising awareness, national and international collaboration and organization structure as well as protecting children online are all key elements that cannot be ignored when we think of cybersecurity ecosystem. A Multi-layered approach consisting of all the above is required in order to fight cybercrime and if countries want to remain competitive in the global market.
Few countries in developing world have established CERT/CIRTS but their effects on whether they can respond to cyber threats in a timely and coordinated manner is yet to be felt. Many are not well funded and they lack qualified experts and tools. Many countries are not member of other initiatives like FIRST and have not signed or ratified with Budapest Convention. Members of FIRST share information and good practices as well as taking advantage of the training offered by FIRST.
Many in developing countries lack very basic security skills like using a password or dealing with emails and as such, criminals take advantage of these poor security practices to steal personal data. Unlike most of the developed world, cybersecurity education is at its infant stage and in some countries none at all. The shortage is being felt across all organisations but the most felt is the government, financial institutions, SMEs and NGOs. In many countries there no government funded IT security courses and IT Security certification offered by organisations such as SAN or ISACA are very expensive for the locals. The few experts in the continent are recruited by the private sector as they offer higher financial rewards. In most cases, cybercrime incidents are never solved due to lack of Computer skills and expertise. In many countries the government there no government computer forensic labs.
Legislation and regulatory framework are key elements of cybersecurity. Unfortunately, existing frameworks in most developing countries are only partly sufficient or not sufficient at all. For example, Kenya has been criticized for lack of effective laws and skills shortage in law enforcement. Lack of awareness among the parliamentarians can delay legislation process. Lessons can be learnt from countries like Estonia or UK in terms of developing laws and regulations to govern cybersecurity. In some areas of the law, other countries could pick what is relevant to their situation instead of reinventing the wheel. A good example is the UK Computer Misuse Act. The U.K. Computer Misuse Act 1990 is an example of comprehensive legislation on computer crime while the U.S. Federal Information Security Management Act of 2002 is also a comprehensive legislation on cybersecurity compliance and the E.U. Directive 95/46/EC on the “protection of individuals with regard to the processing of personal data and on the free movement of such data” is a partial regulation in the Europe uniquely related to cybersecurity among other things.
Although some countries are experiencing fast broadband, the infrastructure needs upgrading. Old software like Window XP is still in large use even though Microsoft ceased its support. Many cannot afford to upgrade their devices or virus scanner and are not aware of automatic updates or of free downloads offered by supplier’s e.g free VG virus scanner from Microsoft. In some parts of Africa, internet is still very expensive compared with their earning and when it comes to using broadband they would rather use the few hours they have purchased on social media or email than updating their devices. Many are not aware of the security threats posed by not protecting their devices. There is also widespread use of pirated software.
One of the most threat to many firms especially in financial institution in Africa is inside threats. There no regulations for reporting cybercrime in most developing countries and therefore, most organisations prefer to deal with the problem from within. There is lack of trust on the legal system in cases where cyber laws are in place and fear of reputation. Countries do not have national databases for criminals, making it easy for those employees who commit crime to move from one place to another committing similar crimes. In most situations, even when cases are taken to court, many end up not facing judgment due to lack of enough evidence. Lack of digital investigating tools and training in many law enforcement agencies also plays a part. Many firms are ill prepared to detect, prevent and investigate any security information breaches, costing them millions of dollars annually arising from corporate theft and information security breaches.
The increasing use of social networking sites such as Facebook, Twitter in Africa for example, increases the mobile device vulnerabilities. Criminals are using data stealing apps and other attacks to steal personal data stored on mobile devices. Millions of internet users in Africa use their mobile devices both for work and private use, thus storing large amounts of data leaving them vulnerable to cyber criminals who want their personal details and that of their companies to steal trade secrets.
Developing countries should also learn how to regulate the IT market to avoid being a dumping place of unnecessary cheap hardware and software and to create a market for local talents. There is a need of a political commitment at the highest level of government so that they can support and assist in creating awareness to their people. There is a high risk of digital divide if urgent measures are not taken, to educate, train and raise awareness on information security especially for minority and vulnerable people. Cultural differences can also hinder development in countries where most people can only speak their native language. Most security awareness initiatives are concentrated in urban areas leaving rural areas behind.
Developing and least developed countries are still a long way in having an effective mature cybersecurity ecosystem compared to developed countries due to Infrastructure, legal and policy loopholes and failure from some countries not doing anything about it. If countries are to achieve their millennium targeted goals, adoption of appropriate legislation, effective institution structure and global partnership are needed to deal with cybersecurity. It is evident that capacity building cuts across all areas of cybersecurity. Therefore, security information awareness is important to draw attention to the society on the security issues surrounding them. Education and training give people skills to manage their devices and have relevant skills to be able to carry out their jobs. Last but not least, without R&D, countries miss out on innovation.
(1) ENISA Website, National Cybersecurity Strategies in the World. https:/
(2) ABI & ITU, Global Cybersecurity Index & Cyberwellness Profile 2015. https:/
(3) Luiijf, et al, Nineteen National Cyber Security Strategies, International Journal of Critical Infrastructure Protection (Impact Factor: 1). 01/2013; 9(1):3. DOI: 10.1504/IJCIS.2013.051608
(4) ENISA 2014, An evaluation framework for Cyber Security Strategies. https:/
/ www.enisa.europa.eu/ activities/ Resilience-and-CIIP/ national-cyber-security-strategies-ncsss/ an-evaluation-framework-for-cyber-security-strategies-1
(5) GoK 2014, Kenya National Cybersecurity Strategy. https:/
(6) WSIS Forum, Outcome Document, ISES Session, 25-29th May 2015, Geneva Switzerland
(7) Europol, The Internet organized Crime Threat Assessment (iOCTA) 2014. https:/
(8) Kigen et al, “Kenya Cyber Security Report, “Rethinking Cyber Security: An Intergrated Approach,” TESPOK & Serianu Ltd, 2014.
Draft questionnaire empty
ISES Country Overview Questionnaire: Please share success and challenges in your country! DRAFT 5
1. What is your cybersecurity strategy?
This question aims to gather information on the strategy itself and rationale behind it (e.g. objectives, main drivers and contextual changes that led to its development, and the meaning or understanding of “cybersecurity” in this particular context. The international dimension of the strategy and relation to international organisations, main priorities)
2. What is being done to implement the strategy?
On Policies& Strategies (e.g. Did you modify your strategy or policy late, and why? How policies reflect the strategy, with policies are successfully translated in implementation which are lagging?)
3. How does the strategy/policy relate to other areas in government?
On Cyber-Security Integration (e.g. What are the needs and demands of economy (growth, innovation, competition) and society? How is the integration into education, research and development, e-government, and fundamental values (e.g. good governance, privacy, free flow of information, etc.?)
4. Explain processes used to develop, implement and review the strategy and policies
Who are the major stakeholders and what are their roles in your country? Do you have international co-operations (e.g. regional or international exercises)? What are main challenges in the process of development, implementation and review of its strategy and policy, as well as in the process for international co-operation. What lessons have been learned?
5. Who is the key person to contact in your country?
Country : Fullfil by : Date :
Please make any remarks on the backside. Thanks in advance for supporting ISES!
Draft questionnaire filled as an example