The first steering committee for a public South African Computer Security Incident Response Team (CSIRT) will meet on 27 November to plan the way forward for the establishment of a private sector CSIRT to be established locally.
Prof. Barry Dwolatzky, Joburg Centre for Software Engineering (JCSE) director says the steering committee was formed at a meeting of public and private sector representatives last month, including most of South Africa's largest financial institutions, Comsec - the legislated body created to oversee government's information security issues in terms of the 'Comsec Act' (Act 68 of 2002) - and a broad cross-section of government departments and other organs of state. The steering committee will also draw in representatives from other crucial stakeholders like the ISP and IT vendor communities.
"The JCSE and the Information Security Group of Africa (ISG - http://www.isgafrica.org/
) hosted the gathering at Wits University where a rough blueprint for a proposed CSIRT was proposed. All parties agreed that, in principle, the formation of such a body is crucial for the future of information security in South Africa, and is ultimately inevitable," he says.
Simply put, a CSIRT's function is to tackle cybercrime, putting in place preventative measures where possible and responding quickly to major cybercrime incidents as they occur, Dwolatzky says.
There are a billion people and 10 billion web pages on the Internet, and some 12% of all global trade now happens online. Furthermore, while local access to the Internet has been restricted, Internet penetration is increasing. According to the World Wide Worx's most recent Internet survey (http://www.theworx.biz/access07.htm
), 3,85 million people in South Africa will have access to the Internet by the end of 2007. This is expected to increase significantly by 2010.
As Internet penetration grows, an increasing proportion of public service delivery is being supplied directly via the Internet, or is enabled by it. Along with that, e-mail is easily the biggest global business communication tool. Dwolatzky says these realities make a collective approach with proactive coordination between the public and private sectors crucial if South African organisations are to be trusted with sensitive information by one another, or by their foreign counterparts.
According to ISG's Craig Rosewarne, South Africa has a skills shortage in the area of cyber security. "There is also a generally low focus on computer security because the private sector is concerned with profit margins and shareholder interests, while government is focusing on basic service delivery and more traditional crime."
While it was agreed at last month's meeting that it is correct to focus on these issues, it was acknowledged that computer security already has a huge bearing on corporate shareholder interests, and also a growing influence on government's ability to render services to the population.
The first African CSIRT was recently launched in Tunisia, while most other continents have multiple teams ready to deal with computer emergencies.
"Africa is way behind the curve; a CSIRT must form part of an holistic, responsible approach to both national and corporate governance," Rosewarne warns.
According to Dwolatzky, the broader national interests of both the private and public sectors should override the individual interests of any organisation. "These are issues of national security, and even in terms of individual interests, a collective effort will enable government departments, banks and other customer service organisations to deal with the threats posed by hackers, white collar criminals, spies and terrorists more quickly, cheaply and effectively."
At the same time, Dwolatzky echoes the views expressed by delegates that issues such as ownership of information and hardware, network neutrality, classification of information and even challenges in the current justice system like the need for technical training for magistrates, will have to be addressed. "I do not believe these are insurmountable issues," says Dwolatzky. "Dozens of national and private computer security incident response teams around the world have had to overcome the same issues. We can learn from what they have already done in terms of building trust among key roleplayers. We will combine the need to accommodate local realities with the wisdom to be gained from those who have already walked this road."
This view was borne out by Comsec's CEO Taki Netshitenzhe, who pointed out that the critical infrastructure of the country lies in the hands of both government and the private sector. "There is no physical divide between our systems," she said. "If one of us goes down, it has the potential to affect us all. For government, the 2010 World Cup represents a key milestone. We have no choice but to have computer security systems in place before this showcase event comes to our shores."
The way forward
Delegates were presented with a proposal from the Software Engineering Institute (SEI) (www.sei.cmu.edu
), the body administering computer emergency response teams around the globe, for a programme of activities that would place South Africa on the road to globally recognised CSIRTs.
SEI is based in the US and was formed under the auspices of Carnegie Mellon University (CMU). In addition, there was a presentation by Comsec on the government perspective on the establishment of a National CSIRT which will coordinate the government lead (Comsec CSIRT) and the corporate lead CSIRT. The proposal from SEI included plans for collaboration with CMU to train South Africans in the area of computer security. The meeting looked at existing information security efforts in the government and corporate sectors, and explored how these could collaborate to avoid unnecessary duplication of efforts.
Next week's meeting will push the initiative forward, and to draw in representatives from other crucial stakeholders like the ISP and IT vendor communities. The steering committee will put together a locally based proposal for the practical roll out of South Africa's CSIRTs.