As technology dramatically changes the way global businesses offer services, how are forward-thinking nations adapting to this new normal?
If we take away the commonly talked-about G7 nations, and also put aside the ongoing cyberbattles commonly discussed involving China, Russia, North Korea and Iran, how are other countries planning ahead to address their future in cyberspace using new technology?
A Compelling Story in Kazakhstan
In the summer of 2018, I was contacted by representatives from the Republic of Kazakhstan (RK) who formally invited me to participate in the prime minister of the RK B. Sagintayev’s International Advisory Board on Digitalization.
Kazakhstan, a central Asian country and former Soviet republic, extends from the Caspian Sea in the west to the Altai Mountains at its eastern border with China and Russia. Its largest metropolis, Almaty, is a long-standing trading hub. The population of Kazakhstan was just over 18 million in 2017, and the country recently renamed their capital from Astana to Nursultan.
The percentage of Internet users in Kazakhstan exceeds 81 percent of the population, which is not far off the 90 percent of the population in the U.S. who use the Internet. The country is engaged in a series of ambitious new technology efforts, with detailed metrics, that affect every area of life. From business to education to international trade, Kazakhstan is rapidly upgrading infrastructure and seeking new innovative solutions.
This article from Euronews.com shows the many similarities in technology planning that exist between numerous countries around the world who recently met in Kazakhstan and states in the USA regarding economic development.
Specifically, I was asked if I would participate in a series of reviews and meetings related to “Digital Kazakhstan.” As described at their website, the Digital Kazakhstan program includes five core goals:
- “Digitization of the economy branches” — reorganization of the RK economy traditional branches using groundbreaking technologies and possibilities, which increase labor productivity and lead to the capitalization growth.
- “Transition to the digital state” — state infrastructure transformation to provide services for population and business, anticipating their demands.
- “Implementation of the digital Silk Way” — development of a high speed and security infrastructure of the transfer, storage and processing of data.
- “Evolution of the human capital assets” — transformational changes, comprising creative society formation and transition to the new realities — knowledge-based economy.
- “Innovative ecosystem formation” — creation of the conditions for technological entrepreneurship development with stable relations between business, academic domain and state, as well as introduction of innovations into industry.
Security for Digital Kazakhstan Called ‘Cyber Shield’
The multi-year Digital Kazakhstan effort includes many technology aspects, but I was specifically asked to participate in reviews of their overall cybersecurity strategy and plans for their nation.
While some of the actions and results of the meetings cannot be shared, most of the actions are made public. Here is the authorized list of reportable actions taken and planned from the advisory board meetings in September 2018:
“Report on the implementation of recommendations of the 3rd meeting of the advisory board on cybersecurity in the Republic of Kazakhstan:
To date, the concept of the ‘Cyber ââShield of Kazakhstan’ was developed, with the purpose to achieve and maintain the level of protection of electronic information resources, information systems and ICT infrastructure from external and internal threats, which would ensure the sustainable development of the Republic of Kazakhstan in the context of global competition.
For the protection of personal data, the data protection agency will operate on the basis of the General Data Protection Regulation, which applies to the European Union countries.
In addition, the presented recommendations are implemented as follows:
— Unification of the utilized server and network equipment was ensured, unified approach was introduced to record and monitor all existing information systems of central state bodies, local executive bodies and subordinate organizations.
— Information on information security incidents will be provided to the Ministry of Defense and Aerospace Industry in operational and statistical regime and will be used to take both corrective and state control measures. According to the legislation of the Republic of Kazakhstan, when identifying threats to information security, the owner of the information system shall immediately inform RSE “state technical service” of the National Security Committee of the Republic of Kazakhstan.
— Measures have been taken to regulate information security measures in the commercial sector. Thus, the legislation of the Republic of Kazakhstan regulates the rights and obligations of owners of information objects; information security requirements, mandatory for use by quasi-public-sector entities and owners of non-state information systems; responsibilities of owners of critical infrastructure when transferring backup copies of electronic information resources to a single platform for the backup storage of electronic information resources.
— Regulation of cybersecurity measures for networks in the field of telecommunications by developing amendments to the legislation of the Republic of Kazakhstan with the assignment of responsibilities to telecom operators and subscribers in order to ensure information security, compliance with protective measures against malfunctions of subscriber devices, and In order to prevent the spread of viruses to other devices.
— Measures are envisaged to develop a culture of cybersecurity, as well as to include cybersecurity issues in the primary school curriculum and secondary education, and training courses in the field of information security for members of the judiciary and the legal sphere, as well as civil society, are being developed.
— The National Anti-Crisis Response Plan for Computer Incidents was approved, which envisages the creation of an operational headquarters for responding to information security crisis situations. It is planned to hold headquarters exercises on interaction on information security incidents, during which information and technical impact on government bodies will be simulated.
— This year, a normative legal act has been approved, which defines the basic necessary content of measures in the field of implementing information security requirements used in the information security management system in an organization, as well as assessing information security risks, and also a number of regulatory legal acts have been approved that contain useful recommendations on the use of 40 security measures.
— By 2020, a number of measures are envisaged for the development of cyber-risk insurance by stimulating the creation of insurance products in this area, which can better meet the needs of consumers in protecting their property interests and covering exclusively the risks associated with the safety of personal databases and other confidential information. It is supposed to isolate cyberinsurance into a separate insurance class and establish a minimum level of requirements for obtaining an insurance license for this class, as handling this type of risk requires the insurer to have sufficient capital, experience in the IT field, the availability of appropriate underwriting and access to international cyberinsurance markets.
— Ensuring operational interaction with interested international organizations (ICANN, UN, GGE, WEF Global Cybersecurity Center, etc.) involved in the formation of the rules for regulating the Internet regarding military security and the detection of cybercrimes between countries. Thus, the representation of the Republic of Kazakhstan at ICANN on the Internet governance infrastructure security (its national segment) is provided by the Kazakhstan Network Information Center, the Association of IT companies, as well as by appointing the representative of the Republic of Kazakhstan to the Government Committee under ICANN.
Interaction with the UN Group of Governmental Experts is supported by the Permanent Mission of the Republic of Kazakhstan to the UN, which was directly involved in the work of the UN Group of Governmental Experts for the years 2016-2017. If the UN Secretary-General decides to convene the next (fourth) Group to prepare a report on the achievements in the field of ICT in the context of international security, it is planned to submit a second application from Kazakhstan to participate in the work of the Group. Currently, a letter has been sent to the WEF Global Cybersecurity Center to establish cooperation with the Republic of Kazakhstan.
Also, in order to implement the UN Global Cybersecurity Program, Kazakhstan has strengthened its work in the UN International Telecommunication Union. In November, the next Report on the Global Cybersecurity Index is expected to be published, which will reflect the position of the Republic of Kazakhstan in the ranking.
The practical interaction for ensuring security in the use of ICT is carried out with foreign organizations through the Forum of national and industry-specific Incident Response and Security Teams — FIRST.
— It is envisaged that Kazakhstan will join the Budapest Convention on Cybercrime: Representatives of the Council of Europe plan to visit Kazakhstan in December this year to hold a working meeting, as well as to familiarize themselves with the country’s legislation to prepare a preliminary expertise.
According to the results of the preliminary expertise, the Council of Europe will develop recommendations and proposals on bringing the legislation of the Republic of Kazakhstan to the requirements for the parties to the Convention.”
My Input and Feedback from Global Interactions
I was impressed with the efforts put forth by the government of Kazakhstan, as well as how they sought international expertise and input from countries around the world.
Here is an excerpt from their press release (in English) describing the meeting participants and a few outcomes:
“The following international experts also participated in the discussion in this sphere made their offers on implementation of opportunities of Kazakhstan: CEO of InfoWatch group of companies Natalya Kasperskaya, CEO of SecDevgroup Rafal Rohozinski, executive director of INSEAD Bruno Lanvin, the founder of the E-Governance Academy Ivar Tallo, the chairman of the advisory board of Fraunhofer Institute Burghard Shil and the IT and electronics manager of the World Economic Forum Danil Kerimi, and also on the system of video conferencing — the international guru in the field of cybersecurity Dan Lohrmann. …”
Another important aspect of the meetings included interactions with international cyberexperts, like Andrew Beklemishev, IDC’s vice president of the Central Asia Region. IDC offered these high-level comments on cybersecurity:
- IDC data shows that governments globally are giving cybersecurity different levels of priority. The difference between countries is not linked to their relative wealth and “development status.”
- National cybersecurity needs to be viewed in two aspects: the protection of state assets systems so that the apparatus can function and the overall protection of the economy and the population. The first can be planned, centralized and controlled, the second the state should educate, guide and less directly influence.
- Kazakhstan has invested in the former and government online resources are pretty well protected. Where Kazakhstan lags behind is the latter.
- Kazakhstan (according to Kaspersky) is one of the countries where users face the greatest risk of online infection — (No. 4 in the WORLD) (The post-Soviet area is one of the world’s more aggressive online environments).
- Malware infection is one of the most dangerous forms of cyber-risk — Wannacry for example. IDC has found that malware encounters closely correlate to the national rate of unlicensed software.
- The list of the countries where users face the greatest risk of online infection maps neatly to the list of countries with the highest rate of piracy.
Initially, I had planned to travel to Kazakhstan for the meetings, but due to business conflicts, I presented my input via a live video stream. Most of my comments related to workforce development and creating a culture of cybersecurity, including training and awareness and growing the technology and cyberworkforce. It was great to see many of my comments included in the final report.
Even as the United States and other G7 countries struggle to fill technology and cybersecurity positions with the right talent, many other nations also struggle with the same problems. Nevertheless, far from giving up, many countries are developing impressive plans for their digital futures, including Kazakhstan.
There were a number of documents that we reviewed under the umbrella of “Cyber ââShield of Kazakhstan.” Some of my feedback on their plans included these needs:
- Highlight that cybersecurity is very important for the whole country and its importance should not be underestimated in their technology plans.
- Emphasize that the first step to address the cybersecurity issue is to raise awareness among all government employees. They all need to be trained.
- Make clear that everyone in the government needs to avoid the “ostrich syndrome” — problems, attacks, vulnerabilities should be discussed openly and not hidden away hoping no one would notice.
- The need for cyberincident response plans and testing of plans with tabletop and full-scale exercises. (Note: I was pleased to see the “National Anti-Crisis Response Plan for Computer Incidents” was approved.)
- Study strategic examples like the Michigan Cyber Initiative, which includes:
Security training for all government staff using game-based, brief, frequent and focused security content that is engaging and even fun.
- Michigan Cyber Civilian Corps — like a volunteer fire department in case of cyberemergencies
- Michigan Cyber Range — team-based training in attacking and defending networks and cities. For more, visit the site.
- Michigan Cyber Challenge — individual and team competitions for students and experienced staff — never stop learning — always changing. For more, see this site.
With the permission of the Republic of Kazakhstan, I am sharing this information now to demonstrate some of the great work that is ongoing around the world. I hope you find this example enlightening.
No doubt, there are many differences in international cyberactivities across different cultures and regions, but there are also many common plans, goals and ongoing efforts in fighting cybercrime and building 21st-century digital economies. We need to all work together as nations, as well as share best practices that work for governments and the private sector.
As I have discussed in previous blogs, many foreign countries are similar in size to states in America. We can work together as nations, but also as states/provinces and even as Sister Cities on common cyberchallenges.
It was an honor to participate in this advisory board effort in Kazakhstan, and I learned so much about the rich culture in a different part of the world. I still hope to visit the Republic of Kazakhstan in person for a future advisory board meeting on Digital Kazakhstan.
In the meantime, I wish Kazakhstan the best of success in implementing its ongoing “Cyber Shield” efforts.
*** This is a Security Bloggers Network syndicated blog from Lohrmann on Cybersecurity authored by Lohrmann on Cybersecurity. Read the original post at: https://www.govtech.com/blogs/lohrmann-on-cybersecurity/digital-kazakhstan-addressing-the-global-cyber-challenge.html