Background

Noting the importance of cyber-security for all agencies, as also reflected in the HLCM Results Framework, the Chair welcomed the ICT Network representative to brief the Committee on progress in this area. The Chair also welcomed, via teleconference, the World Bank Vice President and Chief Information Officer, Ms Stefanie von Friedeburg, along with the World Bank Chief Information Security Officer, Mr Clay Lin.

The ICT Network representative thanked the Committee for the opportunity to highlight the key activities taking place within the Network as they relate to the implementation of the HLCM Strategic Plan for “coordinated work in the area of crisis preparedness and response, business continuity and cyber-security” and the “considerable common ground with respect to how to best protect ourselves from business disruptions and security threats”.  Emphasizing the growing importance of information security, it was noted that during the GA General Debate, several Heads of State called upon the United Nations to take action to address information security, and that the United Nations Secretary-General had recently appealed to Member States to respect international laws and treaties after it became public that some Member States had gained unauthorized access to the UN video conferencing system.

ITU informed the Committee that a “UN-wide framework on Cyber-security & Cybercrime” would be presented at the HLCP meeting of 17-18 October, in response to a CEB decision to address the growing risk posed by cyber threats and cybercrime to global stability. The proposed framework presents the UN system with a set of principles that guide UN entities in integrating cybercrime and cyber-security support to Member States in their programme development plans.

The ICT Network then reported that at the recently-concluded annual session of the Network information security subgroup, the chief security officers of the United Nations system agreed to proceed with the development of a Charter for an inter-agency Computer Incident Response Team (CIRT). This facility is designed support agency efforts to ensure the confidentiality, integrity and availability of their information infrastructure and assets while preserving the federated nature of the UN agencies and UN-affiliated organisations that participate in the CIRT.

Discussion

To further elaborate on the importance and value of a CIRT, the HLCM Chair called upon the World Bank, participating via teleconference to offer their perspective. Ms von Friedeburg noted that the recent information security journey for the Bank began in 2007 after their first significant security breach. The group performing these functions has now grown to 50 staff members, based both in North America and at an off-shore service centre. Mr Lin noted that the office of ICT consolidated in late 2008, when an analysis revealed and underinvestment in information security activities, including a fragmented governance, resulting in an insufficient security response capability. After centralization of the governance and functional capacity the Bank was able to construct a robust facility that initiated service in early 2010 with a scope that include a 24 x 7 incident response. The off-shore service has become an extension to the operations in headquarters, and realized a benefit of increased cost efficiency. The Bank now has standardized processes with improved intervention, and has reduced time for intervention from days to minutes. Mr Clay noted that this service is provided to all Bank entities, which operated in a federated manner, and is approximately 8% of total ICT spend. Mr Clay concluded by offering to collaborate with the UN system through share threat analysis, lessons learned, and many of the details of the CIRT, including job descriptions and skill requirements.

The Chair thanked ITU and the World Bank and, during the discussion, the UN Secretariat expressed support for the improvement of the capacity of the UN system to address information security concerns, noting that in a matter of three years the Bank was able to construct a robust service. The UN Department of Safety and Security noted that at the most recent session of the Inter-agency Security Management Network (IASMN) the ITU presented the challenge of cyber-security, using as an example an attack during a major conference late last year. The IASMN found the presentation on cyber threat/attacks very informative. Noting the multi-faceted aspects of cyber security, the IASMN recognized that there is a need for increasing awareness on this issue, as well as for clarifying governance and reporting lines within the respective organizations, and supported that there be synergy between the ICT Network and the IASMN on this matter.

In summarizing, the Chair noted that cyber-security remains part of the HLCM Strategic Plan Results Framework, and agencies will need to face this important issue, remaining mindful of appropriately dividing responsibilities between bodies, including HLCM and HLCP. In addition, the Chair noted that work in this area should focus on strategic risk and the vulnerabilities we are facing because of the insecure environment, and in this respect the contribution of the World Bank would be invaluable.

Action

The committee:

  • Thanked the ICT Network for its work.
  • Took note of all the work done in the area of cyber-security by HLCP.
  • Thanked the World Bank for its generous offer and called upon the ICT Network to take concrete action to gain from experiences and lessons learned.