Thursday, March 31, 2011

Measurement Of ICT Resilience And Robustness

Information and communication technology (ICT) brings efficiency and many more benefits. On the darker side, it is also exploited by cyber criminals for their nefarious activities. That is why information security of ICT networks and systems is of paramount importance.

Dartmouth’s Institute for Information Infrastructure Protection (I3P) has provided its Cyber Security Research Recommendations in the past, informs Praveen Dalal, managing partner of New Delhi based techno legal firm Perry4Law and leading techno legal expert of India. They are in the form of a set of “Recommendations” for advancing Research in Cyber Security that can be implemented in the next five to 10 years, informs Dalal

The report recognises four areas upon which work should be started on a priority basis. These are:

(1) A coordinated and collaborative approach is needed.
(2) Metrics and assessment tools must be developed.
(3) An effective legal and policy framework for security must be created.
(4) The human dimension of security must be addressed.

These are very good recommendations and need to be developed further, suggests Dalal. Recently, European Union (EU) Agency European Network and Information Security Agency (ENISA) provided its 1st comprehensive report on Metrics and Measurements in Network and Service Resilience, informs Dalal. The report has showed a lack of Standards and Coherency in this regard, informs Dalal.

ENISA has published the “Main Challenges and Recommendations on Network and Service Resilience Metrics” report, as well as a technical report. These are the first ever reports in Europe to address this area's lack of a holistic review. ENISA believes that metrics and a measurement framework are essential to the assessment of practices and policies to improve network and service resilience.

One of the challenges mentioned in the report says that there are very few existing frameworks and not one is globally acceptable. Even in the field of Cyber Crimes, there is no Internationally Acceptable Cyber Law Treaty, informs Dalal. Although we have EU Convention on Cyber Crimes, but many countries are not part of the same, says Dalal. Similarly, we have no internationally acceptable cyber security treaty.

Thus, there is no international harmonisation in the crucial fields like cyber law and cyber security. Naturally, we have no international norms and standards to measure ICT resilience and robustness as well. It is also important for the Critical ICT Infrastructure Protection that nations must be able to accurately measure the security and resilience of their critical infrastructures.

These recent developments are much needed and I hope they would be transformed into a Harmonised Code, wishes Dalal. I hope India would also take note of these international developments and would do the needful in this regard.