Implementing a cybersecurity program

It is recommended that practitioners implement a cybersecurity program to build the capacity of the ID authority to protect its assets and the capacity of the central cybersecurity agency to perform a supportive and enabling role. Since government budgets may not be enough to fund high-end security arrangements for every information asset, this involves the identification and allocation of risk profiles and their associated tolerance levels to guide the level of safeguarding of each ID system asset. A formal recognition of the ID system as a critical national information infrastructure (CNII) may be adopted so that high-end security arrangements and respective budgets can be allocated.

A cybersecurity program for the ID system may also include the following implementation activities, among others:

1. A legal framework on cybersecurity. Enactment of good practice Cybercrime and Cybersecurity legislation (discussed earlier in Section III. Legal Frameworks).

2. Sectorial cybersecurity strategy for the ID system. To supplement a national-level cybersecurity strategy document, a sectorial cybersecurity strategy focused on the ID system may be considered.

3. Cybersecurity foundations. To strengthen the safeguarding of private data and ID systems, activities to provide the necessary cybersecurity foundations are recommended. These include (a) a cybersecurity architecture to work in complementarity with the technical design of the system ex ante and by design; (b) a cybersecurity work and action plan with clear delineations of responsibilities and roles to be created and implemented, with an annual evaluation and revisions as needed; (c) a set of compliance standards for cybersecurity across sectors; (d) a trust and transparency framework; (e) best practice ISO certification of the primary provider of cybersecurity for the ID authority.

4. Intelligence monitoring, detection and analysis. An important first step for cybersecurity is collecting intelligence on potential threats and risks. Recommended activities for consideration are: (a) a risk analysis; (b) systems and software to enable capable threat intelligence for the ID ecosystem; (c) an ID system security operations center (ID-SOC) team to undertake threat intelligence and monitor the critical information infrastructure assets of the sector; (d) tools to detect human and physical vulnerabilities; (e) fraud detection tools; (f) recruitment of a certified chief information security officer (CISO) and team for the ID authority; (f) capacity building and ongoing skills development for the ID authority and selected partners, with a strategy to overcome human resources turnover challenges.

5. Prevention. Once hackers have successfully penetrated a system, mitigation and recovery can become costly endeavors in terms of time, effort and budget. A key element of a cybersecurity program is therefore prevention. Recommended activities are: (a) technical solutions for the safe transfer and interoperability of data through encryption and standards; (b) reinforcing the public key infrastructure (PKI) for identification; (c) regular cyber risk assessments undertaken of the ID authority and its partners; (d) regular audits of the ID authority’s infrastructure and processes by external vendors; (e) regular penetration tests by certified ethical hackers and by the national CERT to identify vulnerabilities.

6. Enforcement. If the country or ID authority have a hub-and-spokes model for its cybersecurity processes, one or both of their roles may be to enforce the cybersecurity of partners. To achieve this, it is recommended to consider: (a) an evaluation and audit framework for partners; (b) regular cybersecurity audits of partners spanning government agencies and private sector licensed partners to ensure compliance; (c) certification of partners’ hardware and software; (d) cybersecurity requirements for the licensing of partners.

7. Reporting, Response and Mitigation. Depending on the institutional and governance structure set out by the country’s national cybersecurity strategy or policy, the national-level CERT could be supplemented by a CERT for the ID sector. Where needed, this could include: (a) establishment of an ID-CERT to link to the national CERT and provide the necessary sectorial support; (b) institutional, governance and technical mechanisms and procedures for agencies to report incidents to the ID-CERT; (c) response and mitigation tools, mechanisms and procedures by the ID-CERT; (d) hardware and software support for the ID-CERT team; (e) capacity building and ongoing skills development for this team, with a strategy to overcome turnover challenges. Such arrangements may be more applicable in larger countries, whereas in smaller economies, the national CERT would take on these roles.

8. Recovery. In the event of a breach, a crucial element of a Cybersecurity program is to recover and regain regular operating levels as quickly as possible. Recommended activities to achieve this include; (a) defining a business continuity plan that takes into consideration the business operation for the ID ecosystem; (b) exercising and testing of the business continuity plan; (c) defining a disaster recovery plan that takes into consideration the infrastructure operation for the ID system, including redundancy; and (d) related capacity building.

9. Capacity building and skills development. To provide the ID authority and its partners with the skills required to deploy Cybersecurity standards as required, recommended activities are the needed skills development for Cybersecurity managers and technical staff: (a) technical training for officials and selected partners; (b) regularly reviewed skills gap analyses and capacity building plans; (c) tailored awareness raising for management and budget deciders; (e) capacity building for the ID-CERT, ID-SOC teams and the business continuity/disaster recovery efforts; (f) a strategy for overcoming turnover challenges of staff moving to more lucrative employment after they have been trained.