SlideShare ist ein Scribd-Unternehmen logo

Borrador 2 Documento Conpes - Seguridad Digital

Als DOCX, PDF herunterladen
Urna de Cristal
Urna de Cristal

Borrador 2 Documento Conpes - Seguridad Digital - En inglés

Regierungs- und gemeinnützige Organisationen
1 von 100
Documento CONPES CONSEJO NACIONAL DE POLÍTICA ECONÓMICA Y SOCIAL REPÚBLICA DE COLOMBIA DEPARTAMENTO NACIONAL DE PLANEACIÓN POLITICA NACIONAL DE SEGURIDAD DIGITAL Ministerio de Tecnologías de la Información y las Comunicaciones Ministerio de Defensa Nacional Ministerio de Justicia y del Derecho Ministerio de Relaciones Exteriores Ministerio de Comercio, Industria y Turismo Ministerio del Interior Ministerio de Hacienda y Crédito Público Ministerio de Ambiente y Desarrollo Sostenible Ministerio de Agricultura y Desarrollo Rural Ministerio de Educación Nacional Ministerio de Salud y de la Protección Social Ministerio de Trabajo Ministerio de Minas y Energía Ministerio de Cultura Ministerio de Transporte Ministerio de Vivienda, Ciudad y Territorio Departamento Nacional de Planeación Departamento Administrativo de la Presidencia Departamento Administrativo de la Función Pública Departamento Administrativo Nacional de Estadística Departamento Administrativo Nacional de la Economía Solidaria Borrador 2 - 22/01/2016 0000
2 Bogotá, D.C., Approval Date
3 CONSEJO NACIONAL DE POLÍTICA ECONÓMICA Y SOCIAL CONPES Juan Manuel Santos Calderón Presidente de la República Germán Vargas Lleras Vicepresidente de la República María Lorena Gutiérrez Botero Ministra de la Presidencia Juan Fernando Cristo Bustos Ministro del Interior María Ángela Holguín Cuéllar Ministra de Relaciones Exteriores Mauricio Cárdenas Santamaría Ministro de Hacienda y Crédito Público Yesid Reyes Alvarado Ministro de Justicia y del Derecho Luis Carlos Villegas Echeverri Ministro de Defensa Nacional Aurelio Iragorri Valencia Ministro de Agricultura y Desarrollo Rural Alejandro Gaviria Uribe Ministro de Salud y Protección Social Luis Eduardo Garzón Ministro de Trabajo Tomás González Estrada Ministro de Minas y Energía Cecilia Álvarez-Correa Ministra de Comercio, Industria y Turismo Gina Parody d'Echeona Ministra de Educación Nacional Gabriel Vallejo López Ministro de Ambiente y Desarrollo Sostenible Luis Felipe Henao Cardona Ministro de Vivienda, Ciudad y Territorio David Luna Sánchez Ministro de Tecnologías de la Información y las Comunicaciones Natalia Abello Vives Ministra de Transporte Mariana Garcés Córdoba Ministra de Cultura Simón Gaviria Muñoz Director General del Departamento Nacional de Planeación Luis Fernando Mejía Alzate Sector Sub-director and Secretario Técnico del CONPES Manuel Fernando Castro Quiroz Sub-director of Territorial and Public Investment
4 Resumen ejecutivo The massive growth in the use of Information and Communication Technologies (i.e. ICT) in Colombia, as well as the increasing services available online and the growing participation of society in economic and social activities in the digital environment have transformed the life of each and every one of the Colombians; however, the use of the digital environment poses risks inherent to the digital security and must be managed. In just one day (7 January 2016), the incident response consulting services company Intel Security Foundstone monitored in total 8128 digital security incidents in Colombia. As a result of the issuance of CONPES document 3701 dated 2011, Policy Guidelines for Cybersecurity and Cyberdefense, institutions were implemented in the country which have been performing their functions and activities in an efficient manner headed by the Ministry of National Defense. Although this effort has allowed an important positioning at international level around the matter, it is essential to strengthen the national Government´s leadership and build a new clear general vision under a comprehensive approach and in accordance with the best international practices to address the risks of digital security. This situation involves a change in the policy guidelines in force thus far. This CONPES document puts forth a National Policy for Digital Security that articulates a clear general vision, supported by the highest level of the Government, under an efficient institutional model that involves each and every one of the stakeholders, these being the same national Government, the public and private organizations, the academia and the civil society. This policy clearly differentiates the economic and social prosperity objectives from the country´s defense and crime and delinquency fighting objectives in the digital environment, and it focuses on the implementation of a set of fundamental principles performing a series of specific actions under some strategic dimensions, around the management of risks in digital security. With respect to the economic and social prosperity objective, this policy addresses the digital security risk as an economic and social challenge, creating conditions for all the stakeholders to manage the digital security risk in their economic and social activities, promoting trust in the digital environment as a means to achieve the objectives of the National Development Plan 2014-2018 “All for a new country– Peace, Equality and Education” as well as of the Vive Digital Plan 2014-2018. To implement this policy, an action plan has been built involving a total investment of $xxxx.
5 The results expected from adopting and implementing the National Policy for Digital Security, is that Colombia: i) strengthens the institutional, regulatory, administrative and management capability in order to address the digital security issues from the highest level, raising awareness among and training all the stakeholders, ii) builds a national strategy for digital security that generates trust and promotes the use of the digital environment in line with its fundamental values, and develops an efficient cooperation model involving all the stakeholders in the framework of the digital security risk management in order to maximize the economic and social benefits in all the economic sectors, iii) protects the fundamental rights and the economic and social activities that its citizens perform in the digital environment, increases the fight against crime and delinquency in the digital environment and implements assistance mechanisms for victims of crimes in that environment, iv) ensures the defense of its fundamental interests and reinforces the digital security of its national critical infrastructures with a risk management approach, and v) participates actively at national and international level in the promotion of an open, stable and reliable digital environment, and in the cooperation, collaboration and assistance with respect to the management of digital security risks. Lastly, it is estimated that the implementation of the National Policy for Digital Security by 2020 shall have a positive impact on Colombia´s economy, generating by 2016 approximately 307.000 jobs and an approximate growth of 0,1% in the average annual variation rate of the Gross Domestic Product (GDP), without generating inflationary pressures. Clasificación: Palabras clave: Digital Security, Cyberdefense, Cybersecurity, Risk Management, Digital Environment, Digital Economy, Economic and Social Prosperity, Computer Threats, Capabilities, Coordination, Strengthening, Leadership, Critical Infrastructure, Cyberspace, Cryptology, Diplomacy.
6 TABLE OF CONTENTS PAGE 1. INTRODUCTION ................................................................................................................10 2. HISTORY AND JUSTIFICATION ...................................................................................12 3. CONCEPTUAL FRAMEWORK ...............................................................................................36 4. ANALYSIS.........................................................................................................................44 4.1. Progress of the recommendations established in CONPES 3701 dated 2011......44 4.2. High-level working groups to analyze the status of the current policy..............48 4.3. General problems................................................................................49 4.3.1. Colombia makes limited efforts to address the digital security issues, as it does not have a clear and general, risk-based vision. ..........................................50
7 TABLE INDEX PAGE Table 2.1. Projections of some indicators of the ICT use worldwide ................................14 Table 2.2. Big incidents of digital securityin the world during 2014.................................20 Table 2.3. Estimated cost of malicious activities in the digital environment ...................26 Table 2.4. Economic impact of the ICT sector on Colombia´s economy between 2010 and 2014 (figures in pesos) .................................................................................................33 Table 2.5. Methods used by criminals in Colombia to obtain information of financial customers ..............................................................................................................................35 Table 3.1. International Regulatory Framework ................................................................37 Table 3.2. Percentage of organizations that apply risk-based digital security strategies ...............................................................................................................................................43 Table 4.1. National Regulatory Framework ........................................................................51 INDEX OF FIGURES PAGE Figure 2.1. Global development of ICT Services ..........................................................................13 Figure 2.2. Digital Economy Ecosystem ......................................................................................14 Figure 2.3. Industry digitization index in 2011 and 2012..............................................................15 Figure 2.4. Industry digitization index in the United States in 2015 ..............................................16 Figure 2.5. Compared economic impact of a country´s digitization and of the broadband and mobile telephony penetration ...............................................................................................................18 Figure 2.6. Participation of the ICT sector in the total added value of OECD countries in 2013 .......18 Figure 2.7. Labor productivity in the ICT sector and in the economy of the OECD countries in 2013 ...............................................................................................................................................19 Figure 2.8. Labor market in the ICT sector in OECD countries......................................................20 Figure 2.9. Global distribution of malware and infection risks in 2014...........................................21 Figure 2.10. Types of most common incidents of digital security in 2015 .....................................23 Figure 2.11. Evolution of malware worldwide to the third quarter of 2015 (cumulative) ................24 Figure 2.12. Breached sectors by number of exposed identities ...................................................24 Figure 2.13. Industries targeted by spear-phishing in 2014..........................................................25 Figure 2.14. Digital security incidents estimated annual cost for a typical organization per industry ...............................................................................................................................................25 Figure 2.15. Predictions of new types of threats in the digital environment in the future ..............27
8 Figure 2.16. Evolution of Internet subscribers in Colombia .........................................................29 Figure 2.17. Economic impact of digitization on Latin America (2005-2013) .................................31 Figure 2.18. Growth of the Gross Domestic Product and of the Post and Telecommunications activity 2010 - 2T 2015 (%) ......................................................................................................32 Figure 2.19. Trends of incidents in the digital environment in Colombia ........................................35 Figure 2.20. Cost of the malicious activity as % of the GDP in some countries in 2014 .................35 Figure 3.1. Evolution of the implementation of a digital security strategy in some countries .........40 Figure 3.2. Schematic summary of the OECD recommendations on Digital Security Risk Management ............................................................................................................................41 Figure 3.3. Principles put forth by the OECD for the building of a digital security risk management policy. ......................................................................................................................................42 Figure 3.4. Adoption of digital security strategies in organizations...............................................43
9 ACRONYMS AND ABBREVIATIONS CAI VIRTUAL: Command for Immediate Virtual Action of the National Police of Colombia CCOC: Joint Cyber Command of CGFM Colombia CCP: Police Cyber Center of the National Police of Colombia CGFM: General Command of the Military Forces of Colombia CICTE: Inter-American Committee Against Terrorism ColCERT: Cyber Emergency Response Group CONPES: National Council for Economic and Social Policy CRC: Communications Regulatory Commission. CSIRT: Computer Security Incident Response Team DANE: National Department of Statistics DIJIN: Criminal Investigation Directorate DNP: National Planning Department EUROPOL: European Police Office CI: Critical Infrastructure INTERPOL: International Criminal Police Organization CGEM: Computable General Equilibrium Model ICT MINISTRY: Ministry of Information and Communication Technologies OECD: Organization for Economic Cooperation and Development OAS: Organization of American States NATO: North Atlantic Treaty Organization AMP: Action and Monitoring Plan GDP: Gross Domestic Product ICT: Information and Communication Technologies ICU: International Telecommunication Union
10 1. INTRODUCTION The massive use growth of Information and Communication Technologies (ICT) in Colombia, reflected in the increase of 2.2 million Internet connections in 2010 to 12.2 million in 20151 , due to the large scale of telecommunications networks as the basis for any socio economic activity 2 and the increase of services available online 3 show a significant increment in the digital participation of citizens which, in turn, is translated into the existence of a digital life for the Colombian people. The massive use of the ICTs to conduct any socio economic activity has led to the development of a growing digital economy in the country, generating the need to establish mechanisms to guarantee the security of the individuals and their activities in the digital environment in the short, mid and long-term. For example, the digital security incidents on IT platforms of the defense sector managed by the CCOC increased by 73% between 2014 and 2015, while the country´s CCP has performed on average 330 arrests in 2014 and 2015, which shows a strong relation between the growth of this economy and the increase of the risks and uncertainties 4 to which people are exposed in the digital environment. 1 According to COLOMBIATIC (2015), this refers to broadband connections (Vive Digital) with a cut-off date to 30 September 2015. The target established in the National Development Plan 2014 – 2018 for 2018 is 27 million Internet connections. 2 According to the SFC (2015), the number of financial operations (monetary and non-monetary) in Colombia through Internet increased by 45% from 2012 to 2014 and through the Mobile Telephony channel by 252%. In the first quarter of 2015, Colombia´s financial system carried out 2.026 million operations for $3.237,8 billion pesos, of which 863 million were carried out through Internet (43% of the total) for an amount of $1.092,61 billion pesos (34% of the total). 3 According to the ICT Ministry´s Online Government Program, the percentage of Colombian citizens that use electronic means to i) obtain information, ii) perform proceedings, iii) obtain services, iv) submit requests, complaints or claims, or v) participate in the decision making process went from 30% in 2009 to 65% in 2014. This also reflected in the Colombian Companies namely 24% in 2009 to 81% in 2014 (http://estrategia.gobiernoenlinea.gov.co/623/w3-propertyvalue-7654.html). Additionally, the Colombian State portal offered in 2015 1.038 online proceedings (http://vive.gobiernoenlinea.gov.co/) 4 According to Intel Security (2014), the cost of malicious activities in the digital environment worldwide is estimated between 0,4% and 1,3% of the global GDP. This cost was approximately 0,14% of the GDP in 2014 for Colombia.
11 The development of a solid digital economy that contributes positively to the generation of economic and social prosperity in the country, requires the creation of an open, safe and reliable digital environment, in accordance with the increment and dynamics of the people´s digital activities. To that end, there must be a comprehensive and clear vision in respect of the digital security and the management of risks associated with threats and incidents that may attempt against the citizens´integrity, the rule of law, the exercise of fundamental rights, the national security and defense, the sovereignty and therefore, against the economic and social prosperity. Thus a need emerges to establish new digital security guidelines and directives taking into account components such as governance, education, regulations, cooperation, research and development, innovation, security and the defense of critical infrastructures, protection of the country´s sovereignty, and focused on the citizens, the society in general, the Military Forces and the public and private sectors, so that the country has a social and economic structure in place that facilitates the achievement of the State´s goals. Considering the aforementioned issues and the needs associated thereto, this document describes the guidelines to develop the Digital Security General Policy, whose intent is to ensure that the National Government, the public and private organizations, the academia and the civil society in Colombia, make massive and responsible use of an open, safe and reliable digital environment through the strengthening of its capabilities to identify, manage and mitigate the risks associated with the digital activities. To develop the Digital Security General Policy some unwavering fundamental principles are established, as well as some dimensions and strategic objectives which once mapped, result in a set of specific goals and actions that materialize said policy (see section 5). To prepare this document, the following input was taken mainly into consideration:  Recommendations issued in September 2015 by the Organization for Economic Cooperation and Development (OECD), in respect of digital security risk management.  Recommendations agreed during the international technical assistance missions and issued in April 2014 and in July 2015, which were sponsored by the Inter- American Committee Against Terrorism (CICTE) of the Organization of American
12 States (OAS), with experts of the governments of Canada, Spain, United States, Estonia, South Korea, Israel, United Kingdom, Dominican Republic and Uruguay, as well as representatives of international organizations such as the World Economic Forum, the OECD, NATO and INTERPOL.  Official statements and documents of the North Atlantic Treaty Organization (NATO) in respect of the good practices in the design of national digital security strategies.  Recommendations provided in 2014 and 2015 by national experts convened by the Ministry of Defense, Justice and Law and the Ministry of Information and Communication Technologies.  Recommendations from the work groups in 2014 and 2015, expanded with key players of the public and private sectors, the civil society organizations, the academia, the ICT industry and companies specialized in digital security in Colombia.  Recommendations from the work groups of the National Planning Department, the Ministry of Information and Communication Technologies, the Ministry of National Defense and other institutions related with digital security in Colombia, as well as from other stakeholders during the period between November 2015 and February 2016. This document is organized as follows, this section serving as introduction. The second section contains the background, the description and scaling of the current issues around digital security, allowing to establish the justification. The third section contains the conceptual framework, while the fourth presents an analysis of the issues identified. The fifth section sets out Colombia´s Digital Security National Policy, describing the fundamental principles, the strategic dimensions, the strategic objectives and the main goals with the actions to reach the core objective. Similarly, this section presents the timelines to track the implementation of this policy and its funding scheme. The sixth section presents a series of recommendations to implement the policy. Lastly, section seven to nine contain the glossary, the bibliography and the schedules, which include a detailed Action and Monitoring Plan (AMP). 2. HISTORY AND JUSTIFICATION This section presents the international and national landscape on the trends in the use of the ICTs as the basis for any socio economic activity, the resulting dynamics in the uncertainties of the digital security during the last years, and the importance of these
13 aspects for the development of a digital economy. Similarly, considerations are presented to formulate the Digital Security National Policy.  International landscape The swift evolution and adoption of technologies for any socio economic activity, the increasing use of those by all socio economic levels, the expansion of the telecommunications networks, and the convergence phenomenon in the provision of communications services, have marked the dynamics of this sector worldwide in recent years. Figure 2.1 shows the evolution of the global indicators on ICT services. For each one of these, an increasing evolution is observed overtime, showing that the ICT services are becoming more important for people. According to ITU (2015), a strong growth has taken place in the penetration of the mobile broadband sector, going from 12.6 subscribers per each 100 inhabitants in 2010 to an estimate of 47.2 in 2015, which reflects the greater availability of this type of services and the subsequent fall of prices, allowing access to more people, and the growing large scale and use of smart devices (smart phones and tablets). The individuals who use Internet and the households with Internet access have maintained a stable annual growth rates worldwide. We went from 29.2 individuals per each one hundred who used Internet in 2010 to an estimate of 43.4 in 2015, and 29,9 households with Internet access per each one hundred to an estimate of 46.6 in 2015. Figure 2.1. Global development of ICT Services Source: ITU (2015)
14 Similarly, the international trends show that the digital environment is dynamic and grows continuously. Table 2.1 shows the projections of this growth worldwide. It is estimated that in the next five years, the users of mobile broadband will grow by 33%, the terminals connected to Internet by 49%, the generated data in 400%, the network traffic by 132%, the Internet devices 1200% and the public cloud market 63%, these are aspects that show the increasing relation between the socio economic activities and the digital environment. Table 2.1. Projections of some indicators of the ICT use worldwide Projections 2015 2020 Increase in % More usersof mobilebroadband 3 billion 4 billion 33% More connectedterminals 16.3 billion 24.4 billion 49% More generateddata 8,8 zettabytes 44 zettabytes 400% More IP networktraffic (monthly) 72,4 exabytes 168 exabytes 132% Devices– Internet of Things 15 billion 200 billion * 1200% Size of the global public cloudmarket USD$97 billion USD$159 billion 63% Note: * to 2018. Source: Adapted of Intel Security Labs (2015a) As described thus far, worldwide the ICTs have become an important factor in nearly all aspects of the economic and social life of individuals, providing channels for education, labor productivity, social interaction, development of more inclusive businesses, democracy, financial transactions, public utilities, national security and defense and other interfaces between the key stakeholders in the digital environment. According to CEPAL (2014), a technology-based economy (digital economy) has been consolidated, which is a facilitator whose development and deployment takes place in an ecosystem characterized by a growing and accelerated convergence of various technologies, resulting in communication networks, hardware equipment, processing services and web technologies. Figure 2.2 shows an digital economy ecosystem model with three main components: the broadband network infrastructure, the ICT applications industry and the end users, with enabling platforms and an institutional basis. Figure 2.2. Digital Economy Ecosystem
15 Source: CEPAL (2014) It is widely acceptedthat the evolution and maturity of the digital economy ecosystem generates a positive impact on all the economic and social fields of society and on all the sectors of the economy. This is how a worldwide digitization process has been generated, resulting in financial benefits for the industries and the businesses that have been at the forefront of said trends, obtaining greater knowledge from their customers and achieving higher productivity and creating new business models. PwC (2011) designed an industry digitization index based on which it identifies the businesses that lead the digitization process such as the financial and insurance services industry, the automotive industry, the computer and electronic equipment industry, and the media and telecommunications industry. Similarly, it concludes that the digitization leading industries are moving fast, while the progress among those lagging remains relatively low. Figure 2.3. Industry digitization index in 2011 and 2012
16 Source: PwC (2011) and PwC (2012) McKinsey Global Institute (2015) also designed the Industry digitization Index in the United States where all economy sectors are analyzed through the lens of digital assets, digital use and digital workforce. The index shows that the US economy is digitizing unevenly, with large disparities between sectors. Beyond the ICT sector which often sets the highest standard of digitization, and in accord with PwC measurements (2011) and (2012), the communications, professional services and financial services are the economy sectors most highly digitized . The index also highlights where there is space to grow the digital capabilities. Public utilities, mining and manufacturing, for example are in the first phases of digitization and could be at the forefront of the next digitization wave. Additionally, the working capital industries such as retail and health care are expanding digital use, but a significant part of their big workforce does not use technology widely. Industries that heavily depend on workforce and localized labor, such as construction, entertainment and agriculture, tend to be less digitized. Figure 2.4. Industry digitization index in the United States in 2015
17 Source: McKinsey (2015) In this digitization process, the Internet is deemed as a platform on which each sector of the economy is supported and it is a driving shaft to achieve gains in productivity, competitiveness and economic growth. Katz (2015) concludes that both the digitization in a country as well as the increase of ICT penetration such as broadband or mobile telephony contribute positively to the growth of the countries´GDP. For example, an annual increase by 10% in the penetration of broadband in a medium-sized country of the OECD shall contribute to the country´s GDP annual growth by 0,29%, or an increase of 10% of the digitization index of one country would generate an increment of 0,75% in its GDP per capita.
18 Figure 2.5. Compared economic impact of a country´s digitization and of the broadband and mobile telephony penetration Source: Katz (2015a) Additionally, the participation of the ICTs in the total added value of the economy is significant and has remained stable worldwide. Figure 2.6, OECD (2015b) estimated that the ICT sector represented 5,5% of the total added value of the OECD countries (namely, around USD$ 2,4 billion dollars) in 2013. This percentage shows great variations between the countries, i.e. from 10,7% of the added value in Korea to less than 3% in Iceland and Mexico. Figure 2.6. Participation of the ICT sector in the total added value of OECD countries in 2013 Source: OECD (2015b)
19 Similarly, OECD (2015b) estimated that the labor productivity (added value per employed person) in the ICT sector for OECD countries was approximately USD$ 162.000 PPP5 , being 79% higher than the rest of the economy. Figure 2.7 shows the labor productivity estimates for said group where one can see that it varies from USD$ 200.000 PPP in the United States to USD$ 74.000 PPP in Hungary. Figure 2.7. Labor productivity in the ICT sector and in the economy of the OECD countries in 2013 Source: OECD (2015b) Employment in the ICT sector represents more than 14 million people in the OECD countries, nearly 3% of the total employment in said countries. Figure 2.8 shows the annual growth rates of employment in the ICT sector between 2001 and 2013, as well as a comparison of the percentage of employment of the ICT sector in respect of the total employment in said countries between 2011 and 2014. OECD (2015b) concludes that the contribution of the ICT sector to the growth of the total employment has varied significantly in the last fifteen years. In 2013, the ICT sector represented 22% of the total employment growth. Similarly, it concludes that while the employment in the ICT sector is stable, the employment of ICT specialists in all the sectors of the economy has increased, reaching at least 3% of the total employment in the majority of the OECD countries. 5 According to the OECD, the Purchasing Power Parity (PPP) is a currency conversion rate that is equal to the purchasing power of various currencies eliminating the differences in the levels of prices between the countries.
20 Figure 2.8. Labor market in the ICT sector in OECD countries Annual growth of ICT jobs % ICT jobs in respect of the total of 2011 and 2014 Source: OECD (2015b) Considering the foregoing, the increasing relevancy of the digital environment in the socio economic activities, and its high dynamism has brought about a set of joint risks, threats, vulnerabilities and incidents of various types, to which individuals and public and private organizations have been exposed. Table 2.2 summarizes some relevant cases of digital security incidents during 2014 worldwide, wherein one can observe their effect on any sector of the economy, with consequences that may impact negatively millions of people, and even billions of people in the world. Table 2.2. Big incidents of digital securityin the world during 2014 Month of 2014 Organization Sector Impact January SNAPCHAT Social network 4,5 million names and mobile numbers compromised February KICKSTARTER Crowd funding 5,6 million victims March KOREAN TELECOM Telecommunications 12 million subscriptions compromised April HEARTBLEED Software First of three open source vulnerabilities May EBAY Purchases Database of 145 million buyers compromised June PF CHANG´S Food Highest violation of high-level information of the month July ENERGETIC BEAR Power Cyber espionage operation in the energy industry August CYBERVOR Technology 1.2 million credentials compromised September iCLOUD Entertainment Celebrities accounts compromised October SANDWORM Technology Attack to Windows vulnerability November SONY PICTURES Entertainment Highest violation of high-level information of the year December INCEPTION FRAMEWORK Public Sector Cyber espionage operation in the public sector Source: Adapted from Verizon (2015)
21 Digital security incidents are generally based on some malicious software, designed to damage or illicitly use the information systems of the organizations. In particular, the malware6 is a type of software whose purpose is to infiltrate and damage a terminal or an information system without the users´authorization.. Figures 2.9 and 2.10 show the most common types of digital security incidents worldwide in 2014 and 2015, respectively, among which we can highlight the trojans, worms and viruses 7 . Phishing incidents are also highlighted as their intent is to acquire confidential information fraudulently. Figure 2.9. Global distribution of malware and infection risks in 2014 6 English term used for any malicious software. 7 The trojan is a malware presented to the user as a seemingly legitimate and harmless program, but when executed, it provides the attacker with a remote access to the infected terminal. The worm is a malware that has the ability to duplicate itself. The virus is a malware whose purpose is to alter the normal operation of the terminal, without the user´s permission or awareness.
22 Source: ISS (2014)
23 Figure 2.10. Types of most common digital security incidents in 2015 Source: Ponemon Institute (2015) Today, the digital security incidents worldwide8 , have evolved and are more sophisticated to the point of being able to penetrate the security systems of government institutions, international organizations, private sector businesses and State´s critical infrastructure. According to Intel Security (2015b), incidents caused by malware have increased continuously in the last years, and the expectation is to go beyond five hundred million incidents in 2015. 8 According to the OAS (2014), “the current landscape in matters of cybernetic threats in Latin America and the Caribbean shows that users are suffering the impact of threats that can be seen as a global trend and other characteristics of each region As a aggravating factor, Latin America and the Caribbean have the fastest growing population of Internet users worldwide, with an increase of 12 percent in the last year” Said reported identified the main trends that impact the region: 1) Data breach is increasing, 2) Targeted attacks continue to increase, 3) social scams are increasing, 4) the malware increased, especially the bank trojans and thefts, and 5) mass events are very attractive for criminals.
24 Figure 2.11. Evolution of malware worldwide to the third quarter of 2015 (cumulative) Source: Intel Security Labs (2015b) Digital incidents not only show an increasing global trend, but also affect any sector of the economy. Figures 2.12 and 2.13, taken from the Internet security report 2015 of SYMANTEC (2015), show how various sectors of the economy are affected by one specific type of digital incident. Figure 2.12 shows the list of the ten sectors with more identity exposure incidents in 2014, where the retail and financial sector can be highlighted Figure 2.13 shows the ten sectors most affected in 2014 by “spear-phishing” incidents9 . Figure 2.12. Breached sectors by number of exposed identities 9 Fraud attempt through identity theft aimed at a specific organization, seeking non-authorized access to confidential data, likely carried out by attackers seeking profit, trade secrets or military information.
25 Source: Adapted from SYMANTEC (2015) Figure 2.13. Industries targeted by spear-phishing in 2014 Source: Adapted from SYMANTEC (2015) On the other hand, the digital security incidents also have direct impact on the finances of individuals and organizations. According to the Ponemon Institute (2015), the estimated annual cost caused by digital security incidents varies according to the affected economy sector. Figure 2.14 shows the digital security incidents estimated annual cost for 2015, where one can observe that for a typical organization of the financial sector the cost is nearly USD $13 million per year, while for the public sector it is approximately USD $6 million. Figure 2.14. Digital security incidents estimated annual cost for a typical organization per industry (millions of dollars per year)
26 Source: Ponemon Institute (2015) On the other hand, Intel Security (2013) estimated that the cost of malicious activities in the digital environment for 2013, including the losses of intellectual property and confidentiality of information, digital environment crimes, loss of strategic information, opportunity costs due to the reduction of trust in digital environment activities, additional insurance costs, and reputation loss for the attacked companies, were equivalent to an aggregated figure between USD $300 billion (equivalent to Singapore or Hong Kong´s GDP) and USD $1 billion (Mexico´s GDP) worldwide. Intel Security (2014) estimated that the approximate annual cost for the global economy of said malicious activities in 2014 was US$445 billion which is equivalent to 0,57% of the global GDP, including the profit for the criminal offenders as well as the security and recovery costs for the businesses. The conservative estimation was US$375 billion, while the maximum was estimated in US$575 billion. Given that the digital economy generated in 2014 between US$2 billion and $ 3 billion, Intel Security (2014) estimated that the cost of the malicious activity in the digital environment is equivalent between 15% to 20% of the value created by the Internet. Table 2.3. Estimated cost of malicious activities in the digital environment ITEM Estimated cost Percentage of the global GDP Piracy USD$1 billion to USD$16 billion 0,0012% to 0,02% Arms trafficking USD$600 billion 0,77%* Malicious activity in thedigital environment USD$300 billion to USD$1 trillion 0,4% to 1,3%
27 Note: * recalculated based on the World Bank´s GDP figures. Source: Adapted from Intel Security Labs (2013) On the other hand, according to Intel Security (2015b), 2015 has marked the beginning of a significant change towards new threats that are more difficult to detect, including fileless threats, encrypted infiltrations and stolen credentials, among others. Figure 2.15 shows the predictions of new types of threats in the digital environment, which represents a scenario of greater uncertainty in respect of global digital security. Figure 2.15. Predictions of new types of threats in the digital environment in the future Source: Adapted from Intel Security Labs (2015b) Other important aspect of digital security is that the associated risks point not only to databases or information systems, but also to the national physical infrastructure, such as hydro power stations, power networks, SCADA systems10 , port systems, defense systems, weapons of war, among others. To cite an example, terrorists could attempt to turn-off the collection of water of am hydro power plant or take the control of drones, weapons and guidance systems of the military forces to cause damage to the population or even to the very military facilities. A study conducted by Intel Security (2015c) on incidents in critical infrastructures, based on a survey held in 2015 among information security professionals of 625 global organizations show that nearly nine out of ten respondents have experienced at least one attack to their security systems in 2014, with an average of nearly twenty attacks per year. 10 English acronym for Supervisory Control And Data Acquisition. Control and monitoring system for remote industrial equipment that operates with coded signals over a communication channel
28 Additionally, more than 70% of the respondents thinks that the threats to their organizations are increasing and 48% thinks it is likely that an attacked to put out of operation the critical infrastructure can be accompanied by potential loss of life. Similarly, it has been proven that threats to critical infrastructure are a unquestionable reality and show an increasing trend. For example, more than 59% of the respondents indicated that the attacks resulted in physical damage and more than 33% led to service interruption. In addition to the foregoing, the OAS and Trend Micro (2015) conducted an online survey in January 2015 among the Security Leads of the main critical infrastructures of the Member States. Similarly, private organizations that manage the critical infrastructure of the countries were included. Among the main outcomes it was found that that 53% of the respondents observed an increment in the incidents in their computer systems during 2015 and that 76% of the respondents perceive that the incidents against the critical infrastructures are becoming more sophisticated. In this sense, they also concluded that the creators of the threats may be targeting the most vulnerable and critical infrastructures in the future. This leads to conclude that at international level the greater access and use of the digital environment to perform socio economic activities is generating a new digital economy with important social and economic impact in the countries. However, this new economic environment has brought along new types of threats and modalities of digital security incidents that demand more planning, prevention and attention by all the stakeholders(i.e. governments, public and private organizations, academia and civil society).  National overview In line with the international scene, Colombia has lived a digital revolution during the last decade, especially since 2010 through the implementation of the Live Digital Plan (Plan Vive Digital). According to the Ministry of Information and Communication Technologies,
29 in the country, the number of Internet connections increased five times going from 2,2 million in 2010 to 12,2 million in 2015.11 . Figure 2.16. Evolution of Internet subscribers in Colombia Source: DNP (2014a) Similarly, according to the ICT MINISTRY, currently in Colombia 1.078 out of the 1.123 municipalities are connected to the optical fiber backbone. Also worth highlighting is the implementation of 899 Vive Digital points, these are community access centers that provide education in the use of Internet to persons of strata 1 and 2 in the entire country, as well as 7.621 Vive Digital Kiosks, which are community access centers located in remote areas and and towns of more than 100 residents of rural Colombia. Similarly, the ICT MINISTRY (2015a) established that the National Government made the largest investment and donation of technology for public schools and colleges in the entire country: 2 millions of tablets and computers. And through the initiative called Apps.co, the largest entrepreneur network of Latin America was established (80.000 entrepreneurs) who are materializing their ICT-based business ideas. Today, 65% of the citizens interact through electronic means with government agencies performing more than four hundred procedures online. Therefore, the citizens and the businesses are more open and willing to interact with the State through the use of the ICT. 11 According to COLOMBIATIC (2015), this refers to broadband connections (Vive Digital) with a cut-off date to 30 September 2015. The target established in the National Development Plan 2014 – 2018 for 2018 is 27 million Internet connections.
30 Moreover, it is necessary to remember that Colombia currently has the National Development Plan “All for a new country” whose pillars are peace, equality and education for the period 2014 – 2018. For its execution, said plan is based on ICT supported cross- sectional strategies. For example, DNP (2014b) provides that with respect to the competitiveness and the strategic infrastructures, the plan sets forth the use of ICTs as platform to achieve high levels of equality and education improving competitiveness. Similarly, the ICTs are deemed as a cross-sectional component that is relevant in the development of all the other economic sectors of the country12 . As for social mobility, the objective of the plan is to close even more the gap in the access to education and improve its quality through the efficient use of ICTs. With regards to the transformation of the agricultural sector, the objective is to achieve rural competitiveness through the adoption and promotion of said technologies. In aspects such as justice, security and democracy to achieve peace, the pursuit is to guarantee access to all the citizens to all types of justice related services through the use of ICTs. The good government is achieved through the adequate use of the citizens information, ensuring its timely and efficient management, as well as through the building of a more transparent and open government. The green growth is aimed at achieving resilience and reducing the vulnerability in respect of the risk of disasters and the climate change, and all this must be supported by better and more integrated information systems. Colombia invests in the benefits generated by the use of ICTs because these are powerful tools that help transform the life of each and everyone of the Colombians 12 For example, the ICTs are considered as support to the electric sector of Colombia where the National Interconnected System (SIN) groups the different activities of the service provision chain , which are divided into: Generation system, National Transmission System (STN), Regional Transmission System (STR) and Local Distribution System (SDL). The SIN includes 98,9% of the installed generation in the country. Under this context, Colombia has made important progress in matters of automation of the STN and its integration with the generation systems located in different areas of the national territory, showing the use of the ICT infrastructure that supports the electric power system. Looking at the experience with the STN, the electric sector is ready to take the next step to continue the automation of the SDL, which has a network of 200.000 km of lines divided in more than 5.000 circuits with an average of nearly 100 transformers per circuit, which represent the challenge of achieving the automation of the electric network in the Colombian territory by 2030.
31 through the supply of more and better infrastructure that allows access to Internet in conjunction with the opportunities that are generated throughout the country, creating an ICT appropriation and adoption culture that promotes the country´s economic and social development. According to the Digital Evolution Index of Tufts University (2013), Colombia is one of the markets with the potential to develop strong digital economies, showing a consistent and impressive improvement of its digital preparation status. Katz (2015b) points out that the country went from being a “transitional digitization” country in 2013 to one of “advanced transitional digitization” in 2015, by showing adequate changes in the political and institutional context in respect of the ICT sector. At regional level, digitization in Latin America has contributed in US$ 195 billion dollars to the region´s GDP between 2005 and 2013. This means that the development of digitization generated approximately 4,3% accumulated growth to Latin America´s GDP. From Figure 2.17, Katz (2015b) estimated that digitization in Colombia contributed in USD$ 16 billion to the country´s GDP from 2005 to 2013, which represented 6,12% of the accumulated growth of the GDP in said period. Figure 2.17. Economic impact of digitization on Latin America (2005-2013) In US$ millions at current exchange rate % of the GDP that represents an increment of the GDP resulting from digitization ( %) Source: Adapted from Katz (2015a) This situation is in accord with the economic behavior of the ICT sector in the country over the last five years. Figure 2.18 shows the growth of the GDP and the GDP associated
32 to the Post and Telecommunications economic activity. However, there is a decrease of 1,8% in the second quarter of 2015, during the period 2010 to 2014 said branch showed positive growth rates, and in some cases above the economic growth rate. Figure 2.18. Growth of the Gross Domestic Product and of the Post and Telecommunications activity 2010 - 2T 2015 (%) Source: ICT MINISTRY (2015b) Between 2010 and 2014, according to numbers from the Annual Service Survey of the DANE, the ICT sector 13 had a participation of 24% of the total added value of Colombia´s economy in 2014. This means that the ICT sector is positioned as one of the sectors that generates more added value in the country. Table 2.4 shows that although the added value of the ICT sector grows at an annual average rate of 9% its participation in the total added value has decreased slightly since 2012. On the other hand, as for the consumption of intermediate goods, taking advantage of the production in the other sectors, the ICT sector grew 48% between 2010 and 2014. Said increase evidences that each year, the ICT sector behaves as a cross-sectional sector in Colombia´s economy, therefore influencing the growth of the other sectors. Similarly, the participation of the intermediate consumption of the ICT sector in the total intermediate consumption has increased reaching 33% in 2014. 13 The analysis of the ICT sector ´s economic impact on the Colombian economy between 2010 and 2014 based on the Annual Service Survey of the DANE displayed in Table 2.4 considers an approximate sample of 5.318 companies in Colombia (566 of the ICT sector) and deems the ICT sector in Colombia as a set of activities according to the CIIU classification 3 and 4 established by the United Nations (UN) as follows: i) Under CIIU classification 3 the activities: I3 Post and mail activities, I4 Telecommunications, O1 radio and television and news agencies activities and K2 computer and related activities, and ii) under the CIIU classification, the activities: H2 Post and Mail, J3 telecommunications activities, J2 Radio and television broadcasting and news agencies and J4 Computer and information services.
33 With regard to the productivity of the ICT sector, Table 2.4 shows that for each peso spent in the ICT sector in 2014, $1,6 pesos were generated as income or in other words $0,6 pesos as return. This taking into account that the survey of the DANE measures the productivity of the economic activities through the relation between income and intermediate consumption. It is worth to note that the productivity of the sector has decreased slightly since 2012. The labor productivity in the ICT sector for Colombia in 2014 was approximately $138.000 pesos, this one being 257% higher than the country´s total labor productivity. It is important to mention that the DANE calculates the labor productivity for each working person through the relation between the added value of the economic activity and the number of persons working in said activities. The ICT sectors ranks first on the list of activities with highest productivity levels per working person in 2014. Lastly, the contribution of the ICT sector to the growth of total employment in Colombia has increased slightly during the last five years. During said period, the employment annual growth rate in the ICT sector was 2%. Moreover, it can be concluded that the employment in the ICT sector accounted for 7% of the country´s total employment. Table 2.4. Economic impact of the ICT sector on Colombia´s economy between 2010 and 2014 (figures in pesos)
34 Source: ICT MINISTRY based on DANE´s Annual Service Survey (ASS) for 2010, 2011, 2012, 2013 and 2014 In addition to the foregoing, Colombia is making great efforts to reduce the digital gap, since more Internet is equivalent to less poverty and more productivity, and the development of the information infrastructure and its active use become a swift path for economic growth. Obviously, the country wants to seize these said opportunities and seeks to become a relevant player in the digital economy. But it is also understood that that this would not be possible if the citizens and the businesses do not trust the digital environment if there is no general and clear vision in place regarding digital security in the country. Although the increase of connectivity in Colombia has brought along countless benefits for the country, it has also contributed to an increment of threats, crimes and incidents in the digital environment that affect the security of citizens, public and private organizations, and even the infrastructures that are part of the nation´s interests. During the last few years, Colombia has been the focus of interest for several types of attackers. The attack techniques and vectors have improved bringing increased, and resulting in greater difficulty to timely detect them. CRC (2015) mentions that in Colombia, three specific trends of incidents have been identified, these are shown in Figure 2.19. Furthermore, Table 2.5 displays the methods used by criminals in Colombia to obtain the information of financial customers and identified by ASOBANCARIA (2015). 2010 2011 2012 2013 2014 Tasa de Crecimiento entre 2010 y 2014 Tasa de crecimiento promedio anual entre los años 2010 y 2014 Empresas Total 5343 5170 5427 5301 5351 0% 0% Empresas Sector TIC 576 552 563 558 579 1% 0% Empresas Sector TIC vs Empreas Total 10,8% 10,7% 10,4% 10,5% 10,8% Personal Ocupado Total 1364309 1415763 1493676 1595485 1705181 25% 6% Personal Ocupado Sector TIC 84576 85948 93000 105725 116221 37% 8% Personal Ocupado Sector TIC vs Personal Ocupado Total 6,2% 6,1% 6,2% 6,6% 6,8% 10% 2% Ingresos Total (miles de $corr.) 82.389.436.832$ 91.756.810.788$ 103.402.734.660$ 115.243.624.805$ 126.035.184.558$ 53% 11% Ingresos Sector TIC (miles de $ corr.) 25.091.681.684$ 28.017.099.021$ 30.604.072.934$ 34.411.551.510$ 37.769.880.923$ 51% 11% Ingresos Sector TIC vs Ingresos Total (%) 30,5% 30,5% 29,6% 29,9% 30,0% Ingresos Sector TIC por empresa (miles de $ corr.) 43.561.947$ 50.755.614$ 54.358.922$ 61.669.447$ 65.232.955$ 50% 11% Valor agregado Total (miles de $corr.) 43.076.868.441$ 48.857.194.019$ 55.278.004.839$ 61.419.292.334$ 65.745.558.538$ 53% 11% Valor agregado Sector TIC (miles de $ corr.) 11.315.515.483$ 12.646.287.222$ 14.192.750.788$ 15.640.944.849$ 16.008.414.582$ 41% 9% VA Sector TIC vs VA Total (%) 26,3% 25,9% 25,7% 25,5% 24,3% Consumo Intermedio Total (miles de $corr.) 37.060.840.194$ 40.202.277.869$ 44.925.214.151$ 49.991.809.439$ 55.543.342.122$ 50% 11% Consumo Intermedio Sector TIC (miles de $ corr.) 12.315.349.763$ 13.547.743.059$ 14.285.044.139$ 16.067.664.387$ 18.232.907.927$ 48% 10% CI Sector TIC vs CI Total (%) 33,2% 33,7% 31,8% 32,1% 32,8% Gastos de Personal Total (miles de $corr.) 27.989.926.902$ 30.521.312.413$ 34.889.923.521$ 37.879.397.772$ 41.487.367.815$ 48% 10% Gastos de Personal Sector TIC (miles de $ corr.) 3.420.469.121$ 3.863.365.433$ 4.423.222.526$ 5.029.288.455$ 5.499.769.526$ 61% 13% Gastos de Personal Sector TIC vs Gastos de Personal Total (%) 12,2% 12,7% 12,7% 13,3% 13,3% Productividad Total 1,27 1,30 1,30 1,31 1,30 3% 1% Productividad Total Sector TIC 1,59 1,61 1,64 1,63 1,59 0% 0% Productividad Laboral 31.574$ 34.509$ 37.008$ 38.496$ 38.556$ 22% 5% Productividad Laboral Sector TIC 133.791$ 147.139$ 152.610$ 147.940$ 137.741$ 3% 1% Remuneración Mensual 1.593$ 1.682$ 1.798$ 1.839$ 1.890$ 19% 4% Remuneración Mensual Sector TIC 2.937$ 3.320$ 3.487$ 3.559$ 3.588$ 22% 5%
35 Figure 2.19. Trends of incidents in the digital environment in Colombia Source: CRC (2015) Table 2.5. Methods used by criminals in Colombia to obtain information of financial customers Concept Description Phishing Criminalsforgethe institution´swebsitein orderto obtain personal andfinancialinformation (credit card numbersandpasswords) andvia electronic mail orpop-ups, they direct the clients toa forgedweb page where they request their information. Smishing This fraudulentpracticeuses text messagesi.e.SMS andsocial engineeringto deceive personsin order to obtain personal andfinancial information. Spy Software (Malware ortrojans) Criminalsusea software to monitor theactivities performed by thePC user. Similarly, they have access to the information that the user keys andto the contentsof his electronic mails. Key logger By using software or hardware, criminalsseekto recordthe texttypedby the users on their PCs. Cloning Copyingtheinformation containedmagnetic stripon debit andcredit cards. Source: ASOBANCARIA (2015) In relation with the costs of the country´s digital security incidents, on the one hand ISSS (2014) estimated that in Colombia, the cost of malicious activity in the digital environment for 2013 was approximately USD$ 464 million. On the other hand, Intel Security (2014) estimated that said cost for Colombia in 2014, was approximately 0,14% of the GDP. Figure 2.20. Cost of the malicious activity as % of the GDP in some countries in 2014
36 Source: Adapted from Intel Security (2014) In addition to the foregoing, based on the information provided Intel Security Foundstone, a consulting services company in the field of response to incidents, discovery of vulnerabilities and security strategy and in collaboration with Intel Security, reported on 7 January 2016 in the United States a total of 604.493 incidents and in Brazil 77.423, while in Colombia that number was 8.128. Having analyzed the international and national arena around the evolution of access to and use of ICTs in the digital environment, the conclusion is that Colombia is increasingly digital thanks to the efforts of the national Government through the implementation of effective sector policies that allow to promote the participation of the society in the economic and social activities in the digital environment. The country´s digitization generates economic growth and improvement of productivity and competitiveness. However, greater use of the digital environment entails greater risks and uncertainties. How to address them has been a topic of discussion at international level, because the conditions to execute said economic and social activities have been changing drastically. Therefore, the increase of incidents in the world and in the country generates impact on the digital economy that must be addressed under an updated vision around the matter. 3. CONCEPTUAL FRAMEWORK This section discusses the new trends in respect of defining digital security strategies or policies and the digital security risk management model based on best practices at international level around the matter, a model towards which the national Government must work.
37 According to the OECD (2015a), during the last ten years, the digital security incidents have increased generating a series of uncertainties and significant consequences for each and every one of the individuals and organizations. This situation has generated the issuance of an international regulatory framework, see Table 3.1, as well as an intense debate on how to address these incidents today. Table 3.1. International Regulatory Framework Instrument Matter Convention on Cybercrime of the Council of Europa – CCC (known as the Budapest Convention on Cybercrime) adopted in November2001 and in force since 1 July 2004) The main purpose ofthe convention is the adoption of a legislation that facilitatesthe prevention of criminal behavior and that contributes with effective tools in the penalfield to allow the detection, investigation and prosecution ofillegal behaviors. Only binding instrument on the matter at international level as well as its protocol to criminalize racist and xenophobic actions committed via computer systems. The Council deems that cybernetic crime demandsa common penalpolicy intended to prevent crime in the cyberspace and in particular, through the adoption ofa suitable legislation and the strengthening ofinternational cooperation.It is important to highlight thatalthough the CCC originatedat European regional level, it is an open instrumentfor adherence by all the countries ofthe world.Worth to note is thatColombia received an invitation of the Council of Europe to adhere tothe BudapestConvention as a result of a process started in 2011 with theenactment of CONPESdocument 3701,which requiredthe Ministry of Foreign Relationsto submit a formal request with theCouncilof Europa to invite Colombia to be part of the Budapest Convention. This way, on 20 September2013, the Council ofEurope´sCouncil of Ministers approved the invitation for Colombiato adhere totheBudapestConvention, andbe part of the additional protocol related with the criminalization of racism or xenophobic relatedactionscommittedthrough computer systems.Based on this decision, Colombia has five (5) years to adhere to the international instrument. Resolution AG /RES 2004 (XXXIV- O/04) of the General Assembly of the Organization of American States Comprehensive Strategy to Combat Threats to Cybersecurity Multidimensional andmultidisciplinary approach to creating a culture of cybersecurity It stipulates three avenues of action: i) Creation of an hemispheric network of Computer Security Incident Response Teams – CSIRT, assigned tothe Inter-American Committee against Terrorism – CICTE; ii) identification and adoption of technical standards for safe Internet architecture,a jobcarried out by the Inter-American Telecommunications Commission;and iii) adoption and/or adapting of the legal instruments necessary to protectInternetusersandinformation networks from criminals and organized criminal groups thatusethese means, under theresponsibility of Meeting of Ministers of Justice or of Ministers or Attorneys General of the Americas-REMJA.The Comprehensive Strategy is described in this AG/RES Resolution.2004 (XXXIV-O/04), approved at the plenary session of the thirty fourth periodof sessionsof theOAS General Assembly, held on 8 June 2004. To thisextent, the Resolutionshavea compliance level different from that generated by a Treaty or a Convention, because if a country member of the OAS has approvedthe Resolution by vote, it is expected that the country has the same commitment to comply with it. In this case, Colombia as a member of the General Assembly of the OAS signed this Resolution, and the binding force of the resolutions is reflected in the obligation ofthe countries to submit reportsandpresent results in relation with theagreements in saidresolutions.Moreover,Colombia as member of the Inter-American Committee Against Terrorism (CICTE) and of the Inter- American Inter-American Telecommunications Commission (CITEL), must be
38 Instrument Matter subject tothe Resolutions and recommendations issued by those bodies. Lastly, it is importantto consider that the OASResolutions do not have the bindingnatureof a treaty; however, the General Assembly is the supreme body of the OASandallits expressionshold high diplomatic political value. Decision 587 of the Andean Community dated 10 July 2004 Whereby the Guidelines for the External Security Policy of the Andean Community areestablishedObjectivesof saidpolicy are to prevent, combat and eradicate the new threats tothe security,and their interrelations, when appropriate,through cooperation andcoordination efforts to confront the challenges that such threats represent for the Andean Community.. Accordingto article 3 of theTreaty CreatingtheCourt ofJustice of the CAN, the legal schemeof the CAN is supranational, which is translated into the issuance of common laws or standards that have direct effect and are bindingin the member states as of their publication date in the Official Gazette of the Cartagena Agreement without the need to request prior approval by the NationalParliaments fortheir entry into force and effect in each one of the member states. Consensuson Cybersecurity of the International Telecommunications Union -ITU, within the United Nations, in execution of the Tunis action program for for information society 2005 It seeks to promotethe analysis ofpertinentinternational concepts intended to strengthen the security of global information and telecommunications systems. The Resolutions that the ITU may issueare bindingfor Colombia, as the constitution of the ITU andtheITU Convention were approved by means of Laws 252 dated 1995and873 dated 2004, as well as the subsequent amendments. Resolution 64/25 “Developments in the field of information and telecommunications in the context of international security”. United Nations General Assembly (UNGA). (2009) The GeneralAssembly exhorts allthemember states to continue promoting the multilateral analysis of real and potential threats in the information security fieldandpossible measuresto limitthe threatsthat may arisein that area, consistently with the need to preserve the free circulation of information.This Resolution follows the Assembly´s monitoring, with the Resolutions issued until 2 December 2008. The Resolutions of the UN General Assembly, such as those affecting budget, internal matters or instructions to lower-ranking bodies are binding, however, the recommendationsof the General Assembly and the Resolutions based on those are compliedto theextentthat theStatecan execute them according to its budget. Directive 2006/24 of the European Union Directive 2006/24 setforth theretention of data generated or processed in connection with the provision of publicly available electronic communications servicesor ofpublic communications networks, and served as the referenceenforced by themember states until 2014.This directive was declaredinvalidby theCourt ofJusticeof the European Union in April 2014 given thatit imposedto the memberstates the obligation to adopt in the internal legislations the retention of data transported over the communications traffic, as it deemed that said measure violates the fundamental rightsin respect ofprivate life andthe protection of personal data. Statement of Principles UNGA Resolutions: 55/63 and 56/121 Combating the criminal misuse of information technologies ; 57/239, 58/199 y 64/211 Creation of a global culture of cybersecurity andthe protection of criticalinformation infrastructures;World Summit on the Information Society (WSIS), Declaration of Principles and Agenda oftheTunis Phase (in particular the C5 line of action). These are generalstandards or principles that do not constitute rules and are not binding;however, these actionsor legal instruments without a mandatory natureare incardinatedin one way or another, in the source system of the International Law (Soft Law). National CyberSecurity Framework Manual of the NATO The NATO published in 2012 in collaboration with the OTAN Cooperative Cyber Defence Centre of Excellence, the manual for the formulation of national cybersecurity strategies for its member states.
39 Instrument Matter Wales Summit Declaration OTAN 2014 Official document of the outcome of the NATO Summit held in Cardiff (Wales) on 4 and 5 September 2014, where the agreements to address cybersecurity in the member states are highlighted Source: CRC (2015) Additionally, many multilateral organizations, such as the ITU 14 , OECD15 , NATO16 and OAS, as well as the private sector17 , have analyzed the approach to tackle the digital security matter under the current conditions of the digital environment, where it is put forth that the national strategies or policies around the matter should consider risk management, the Governments´ systematic leadership, a multidimensional approach, shared accountability and protection of national values. Figure 3.1 shows the evolution of the implementation of digital security strategies in various countries, some members of the OECD others not. 14 The International Telecommunications Union –ITU– is the United Nations (UN) organization specialized in telecommunications, responsible for regulating the telecommunications at international level among the various administrations and operating companies. ITU (2011) established as general principles of a national cybersecurity strategy, risk management, Governments´systematic leadership, multidimensional approach, shared responsibility and protection of national values. 15 OECD (2015b) highlights a new generation of national cybersecurity strategies under national policies with high-level leadership support within the national governments including all the society´s stakeholders with a holistic approach covering economic, social, technical, legal, educational, diplomatic, military aspects and those intelligence related. 16 The North Atlantic Treaty Organization –NATO– also called Atlantic or North Atlantic, is a military inter- government alliance based on the North Atlantic Treaty or the Treaty of Washington signed on 4 April 1949. According to the manual for the formulation of national cybersecurity strategies presented by NATO´s Center of Excellence for Cybersecurity Cooperation in CCDCOE (2012), one of the four trends in the formulation of national strategies, in particular those designed by the United States and by the United Kingdom, is the recognition that a diverse set of the threats and challenges requires a risk management based approach. Similarly, it highlights the importance that said strategies must deal with a set of dilemmas, among others: stimulate the economy versus improve national security. 17 The Information Technology Industry Council –ITI– is the global voice of the IT sector and gathers the most important ICT companies and organizations of the world. ITI (2011) and ITI (2012) recommend that a national cybersecurity strategy must be based on risk management and must be focused on awareness raising among and education of all the stakeholders in order to know how to reduce digital security risks, among others.
40 Figure 3.1. Evolution of the implementation of a digital security strategy in some countries Source: Adapted from Hernández (2014) Upon reviewing the different national polices or strategies around the matter, one can conclude that the national strategies for cybersecurity and cyberdefense have evolved towards national strategies for digital security. There was a shift from cybersecurity and cyberdefense strategy design focused mainly on objectives of national defense and national security (fight against crime and delinquency) in the digital environment, towards the design of strategies with a set of principles under a framework of digital security risk management, differentiating the objectives of economic and social prosperity from the country´s objectives in the field of defense and the fight against crime and delinquency in the digital environment. This is the position of the OECD, after more than two years of review and analysis of more than thirty years of experiences in respect of the way these incidents in the digital environment were addressed in the past and with regard to the objectives that the countries had targeted to achieve. As a result of said work, the OECD adopted on 17 September 2015, the Recommendations of the on Digital Security Risk Management for Economic and Social Prosperity. This document provides guides for the new generation of strategies in respect of digital security management with the purpose of optimizing the 2015 Estrategias con un conjunto de principios y que se enmarca en la gestión de riesgos de seguridad digital, distinguiendo los objetivos de prosperidad económica y social con los objetivos de defensa del país y de lucha contra el crimen y la delincuencia en el entorno digital. Francia 19/10/15 Estrategia Nacional de Seguridad Digital República Checa 16/02/15 Malta Irlanda 02/07/15 Islandia Portugal 28/05/15 Recomendaciones OECD sobre la gestión de riesgos de seguridad digital 17/09/15
41 economic and social benefits expected due to the conduct of activities in an open digital environment. The OECD´s recommendation puts forth to both the member states and to those who have not adhered to: i) implement a set of principles at all levels of the Government and of the public organizations, and ii) adopt a national strategy for digital security risk management. Figure 3.2 shows a summary of the OECD recommendations on Digital Security Risk Management where a set of eight principles is highlighted; four general and four operational, as well as a series of recommendations around the adoption of a strategy to manage digital risks. In general terms, it is recommended that the policy addresses the digital security risk as an economic and social challenge, creating conditions for all the stakeholders to manage digital security risks in their economic and social activities, promoting trust in the digital environment as a means to achieve the objectives. Figure 3.2. Schematic summary of the OECD recommendations on Digital Security Risk Management Source: ICT MINISTRY (2015b) Similarly, the recommendation is clear in advising that the policy that the countries design must articulates a general vision, supported by the highest level of the Government, under an efficient institutional model that involves each and every one of the stakeholders, these being the same national Government, the public and private organizations, the academia and the civil society. This national policy should clearly differentiate the Principios Generales Principios Operacionales Empoderamiento DDHH y valores fundamentales Responsabilidad Cooperación Gestión del riesgo cíclico Medidas de seguridad Innovación Preparación y continuidad Adoptar una estrategia nacional Que sea consistentecon los principios y cree condiciones para todos los stakeholders para gestionar el riesgo de seguridad digital en todas las actividades económicas y sociales Que incluya medidas que permitan al Gobierno adelantar una serie de acciones
42 economic and social prosperity objectives from the country´s objectives in the field of defense and the fight against crime and delinquency in the digital environment. Figure 3.3 shows the summary of the principles put forth by the OECD for the building of a digital security risk management policy. General principles are put forward such as: i) knowledge, capability and empowerment, ii) accountability, iii) human rights and fundamental values, and iv) cooperation. It also proposes operational principles, such as: i) risk assessment and treatment cycle, ii) security measures, iii) innovation, and iv) preparation and continuity. Figure 3.3. Principles put forth by the OECD for the building of a digital security risk management policy. Source: ICT MINISTRY (2015b) 1. Conocimiento, Capacidades y empoderamiento • Todas los actores deben entender los riesgos de seguridad digital. • Deben ser conscientesde que el riesgo de seguridad digitalpuede afectar el logro de sus objetivos económicos y sociales y que su puede afectar a otros. • Deben estar educadosy poseer las habilidades necesarias para entender el riesgo paraadministrarlo, y evaluarel impacto. 2. Responsabilidad • Los actores ​​deben asumir la responsabilidadde la gestión del riesgo de seguridad digital. • Deben actuar con responsabilidady rendir cuentas , sobre la base de sus funciones y su capacidad para actuar teniendoen cuenta el posibleimpacto de sus decisiones sobre los demás. • Deben reconocer que un cierto nivel de riesgo de seguridad digitaltiene que ser aceptadopara lograr los objetivoseconómicosy sociales 3.Derechos humanos y valores fundamentales • Los actores ​​deben gestionar los riesgos de seguridad digital de manera transparentey compatiblecon los derechos humanos y los valores fundamentales. • La gestión de riesgos de seguridad digital debe ser implementada compatiblecon la libertad de expresión,el libre flujo de la información , la confidencialidadde la información,la protección de la privacidad y los datos personales. • Las organizaciones deben tener una política general de transparencia acerca de sus prácticas y procedimientos para la gestión de riesgos de seguridad digital. 4.Cooperacion • Todaslas partes interesadas deben cooperar , incluso mas alláde sus fronteras . • La interrelaciónmundial crea interdependencias entre las partes interesadas y pide su cooperación • Debe tener lugar dentro de los gobiernos, las organizacionesprivadas y públicas, así como entre ellos con los individuos. • La cooperacióntambién debe extenderse a través de las fronterasa nivel regional e internacional 5. Evaluación de riesgos y ciclo de tratamiento • La evaluación de riesgos debe llevarse a cabo como de manera sistemática y continua •Deben evaluarselas posibles consecuencias de amenazas combinadas con vulnerabilidadesen las actividades económicas y sociales en juego. •El tratamiento del riesgo debería tener como objetivo reducir el riesgo a un nivel aceptable en relación con los beneficios económicos y sociales. •El tratamiento del riesgo incluye varias opciones : aceptar ,mitigar, transferir, evitar o una combinación. 6. Medidas de Seguridad •Los líderes y tomadores de decisiones deben asegurarse de que las medidas de seguridad son apropiadas y proporcionalesal riesgo. •La evaluación de riesgos de seguridad digital debe guiar la selección , operación y mejora de las medidas de seguridad para reducir el riesgo a niveles aceptables. •Las medidas de seguridad deberán ser apropiadasy proporcionalesal riesgo y deben tener en cuenta su potencial impacto negativo y positivo sobrelas actividades económicas y sociales que tienen por objeto proteger. 7. Innovación •Los líderes y tomadores de decisiones deben asegurarse de que la innovación sea considerada como parte integral de la reducción del riesgo de seguridad digital •Debe fomentarsetanto en el diseño y funcionamiento de la economía y las actividades sociales basadas en el entorno digital , así como en el diseño y el desarrollo de las medidas de seguridad . 8. Preparación y continuidad •Los líderes deben asegurarse de que se adopten planes de continuidad. •Para reducir los efectos adversos de los incidentes de seguridad , y apoyarla continuidad y la capacidad de recuperación de las actividades económicas y sociales deben adoptarsepreparaciones y planes de continuidad. •El plan debe identificar las medidas para prevenir, detectar , responder y recuperarsede los incidentes y proporcionarmecanismos claros de escalamiento. •procedimientos de notificación apropiados
43 Lastly, Figure 3.1 highlights the adoption of a digital security national strategy by France, a few days after the publication of the recommendation purpose of OECD´s analysis. Said country defined a strategy based on some fundamental principles with five strategic objectives around the digital security risk management. This has also been the focus of the countries that issued their strategies even before the date of adoption of the recommendations. Such is the case of the Czech Republic, Malta, Portugal, among others. On the other hand, it is important to highlight that this change of approach has been observed not only at government level but also at the private organizations level. PwC (2015) concludes based on the: The Global State of Information Security Survey 2016, that effective digital security programs have started with a risk-based strategy, finding that most of the organizations (91%) have adopted digital security risk management under directives such as ISO 27001, which allow the organizations to identify and prioritize the risks, and to generate a better internal and external communication. Figure 3.4 and Table 3.2 show the results of said survey. Figure 3.4. Adoption of digital security strategies in organizations Source: PwC, 2015 Table 3.2. Percentage of organizations that apply risk-based digital security strategies Type of organization surveyed Percentage Financial servicesorganizations 92% Public organizations 92% Industrial productsorganizations 86% Entertainment, media andcommunications organizations 94% Consumer organizations(retailers) 90% Telecommunications organizations 93% Total 91% Source: PwC, 2015
44 4. ANALYSIS This section describes the country´s development in matters of digital security en Colombia under the approach established in CONPES 3701 dated 2011. It also presents the progress made in the analysis of international experiences around digital security through the conduct of high-level working groups and it puts forth the general problem using five specific issues intended to be resolved by implementing a national policy. 4.1. Progress of the recommendations established in CONPES 3701 dated 2011 CONPES document 3701 dated 2011, Policy Guidelines for Cybersecurity and Cyberdefense in Colombia, established a work framework in order to address the digital security issues during the period 2011 to 2015, formulating three strategic objectives: i) implement adequate institutions, i) provide specialized training and expand the research lines in Cybersecurity and Cyberdefense, and iii) strengthen the legislation and the international cooperation in order to forge a baseline that facilitates the building of a national strategy. As for the achievement of the indicators established to track said CONPES document, 90% of the activities proposed in the action plan of said document has been fulfilled according to the provisions of the National Planning Department (DNP) through the report submitted with cutoff date July 2015.  Institutions With respect to the execution of the activities defined in aforementioned CONPES document, the institutions in this field were strengthened and this is reflected in the creation of the Cyber Emergency Response Group (ColCERT), the Joint Cyber Command of the Military Forces (CCOC) and the Police Cyber Center (CCP), in addition to the computer security incident response team of the National Police (CSIRT-PONAL). In addition to these institutions, other departments have been created within existing institutions, such as the Data Protection Delegate at the Superintendence of Industry and Trade (SIC), and the Sub- directorate of Security and Privacy of Information Technologies attached to the Directorate of Information Technology Standards and Architecture of the Vice-Ministry of Information Technologies and Systems of the Ministry of Information and Communication Technologies, as well as the Cyber Units of the National Army, the National Navy and the Colombian Air Force, among other organizations. The National Digital and State Information Commission was created by means of Decree 32 dated 2013, whose functions are, among others: i) advice the National Government in the position that it shall take before the organizations in charge of matters related with Internet governance, domains,
45 intellectual property of the networks, cybersecurity, cyberdefense, protection and privacy of the information, and ii) generate guidelines for the Cyber Emergency Response Group in Colombia.  Training In regards to the Ministry of National Defense, it is important to point out that the ColCERT team has promoted the diffusion of a Cybersecurity and Cyberdefense culture, as well as the management of incidents in the State´s institutions. The CCOC in turn, promoted the development and strengthening of its own cyberdefense capabilities and those of the Cybernetic Units, and it provided guidelines and directives within the institutions in this respect, in order to guarantee the defense of sovereignty, independence and integrity of the national territory and of the constitutional order. Similarly, in coordination with the ColCERT, a catalog of critical infrastructures is being developed which shall enable the coordination and management of protection and defense plans of said infrastructures. On the other hand, the CCP is in charge of the investigation and prosecution of cybernetic crimes and to that effect it has specialized personnel, state of the art equipment and laboratories. The operational results show the capabilities that have been developed. Similarly, education and training have been strengthened from various angles and action fronts, in aspects such as awareness rising campaigns for the responsible use of Internet with emphasis in children and youth and the provision of specialized training for civil servants. Moreover, the country has advanced significantly in the generation of specializedacademicoffer in this field. Today, there are more than fifty academic programs varying from technical level to master studies, as well as a wide range of non-formal education courses which include internationally recognized certifications.  Legislation With regards to the strengthening of the legislation, Colombia has a legal framework in place that includes the recognition of data and information as a protected legal asset, and it has regulations specifically aimed at aspects such as the protection of personal data, regulation on the protection against exploitation, pornography, sexual tourism and all other forms of sexual abuse involving minors. Some of the aspects included in this framework worth to highlight is that the Ministry of Information and Communication Technologies established the implementation of an Online Government strategy, which
46 incorporates the adoption of Information Security Management Systems within public administration institutions, contributing this way to generate dynamics that facilitate the understanding of the problems associated to cybernetic incidents and their management, important aspect to develop the State´s institutional capabilities in the cybersecurity field.
47  Cooperation With regards to the strengthening of the international cooperation, significant steps have been taking in this area. Colombia formally requested in 2013 through the Ministry of Foreign Affairs the country´s adhesion to the Europe Convention on Cybercrime, also known as Convention of Budapest, which establishes the principles of an international agreement on cybersecurity and the sanction of crimes of that nature. With the World Economic Forum, a multilateral convention was established to identify and address the increasing systematic global risks derived from connectivity among people, processes and objects. Through the Inter-American Committee against Terrorism of the OAS work has been done with “Incident Respond Teams” (CSIRT), with Colombia being part of that hemispheric alert that provides technical information to personnel specialized in these fields, promotes the development of National Strategies on Cybersecurity and fosters the development of a culture that allows its strengthening in the continent. With the OECD, in addition to the support received as part of the international mission, Colombia fully shares the recommendations established in the document called: “Recommendation of the Council on Digital Security Risk Management for Economic and Social Prosperity”. On this same front, the country has signed agreements with industry corporations to access resources and programs specific to Cybersecurity and Cyberdefense, as well as with international organizations such as the Antipishing Working Group, with the purpose of becoming part of this coalition of industry companies, legal authorities and government institutions that collaborate in function of having better alert and response mechanisms for cybernetic incidents. These partnerships have also been strengthened in the local context with industry stakeholders. Another aspect to highlight, is that Colombia has eight (8) Computer Security incident response teams member of the FIRST (Forum of Incident Response and Security Teams), being the third country in the continent with the most registered teams, after the United States and Canada. In the regional arena, Colombia has positioned itself as one of the countries in the region that has progressed the most in Cybersecurity and Cyberdefense related aspects,
48 which is reflected in the formal statistics, such as the World Cybersecurity Index of the International Telecommunications Union ITU), in which the country is currently ranked in the fifth place at regional level, after the United States, Canada, Brazil and Uruguay; while at global level, it shares the ninth position with Denmark, Egypt, France and Spain. 4.2. High-level working groups to analyze the status of the current policy In spite of the progress made through the execution of the actions established in CONPES Document 3701 dated 2011, all these results may not be construed as a sufficient and effective capability to respond to digital incidents, because it has been proven that countries in a better position than Colombia have experienced serious effects due to the materialization of sophisticatedand more frequent attacks in the cyberspace motivated by interests of different kinds. Undoubtedly CONPES Ddocument 3701 dated 2011, led to new dynamics in this field; however, as of 2014, a new renewed momentum is pursued through the formulation and development of new policies to strengthen the acquired capabilities, as well as the development of more capabilities to counteract the threats in the cyberspace, strengthen the institutions, update and harmonize the current regulatory framework and strengthen the relation and cooperation with players and stakeholders at national and international level, among other fronts. This is why President Juan Manuel Santos, aware of the increment of incidents in this area, requested the creation of a high-level Commission of National Experts led by the Ministry of National Defense, the Ministry of Justice and the Ministry of Information and Communication Technologies, that would be supported by an international commission, in order to strengthen the Cybersecurity and Cyberdefense policies for the country, to allow for the provision of guarantees in a cyberspace that is safe for the user and for the same State in order to promote and strengthen political, economic and social development observing respect for the constitutional rights, as well as assessing the vulnerabilities to which Colombia is exposed in this field and therefore, the need to adjust to the challenges imposed by the technological advances and the threats in the cyberspace. Since the establishment of this Commission, the Ministries in charge held working group sessions with national and international experts in order to perform an analysis and make recommendations based on which the basis are built for a new policy direction for Colombia taking into account the end of the validity date of CONPES Document 3701
49 dated 2011. The team of international experts were assisted by members of the Ministries that make up the Commission, as well as by the ColCERT, CCOC, CCP and the public and private sector, among others. The team of international experts was supported by the OAS, as well as by experts from the governments of Canada, Spain, United States, Estonia, South Korea, Israel, United Kingdom, Dominican Republic and Uruguay, and by members of the World Economic Forum, of the OECD, and of the Europe Council and of the INTERPOL. In the framework of these working groups, important input was obtained by assessing the current conditions of the policy in order to take it to an advanced status comparable to cybersecurity and cyberdefense policies worldwide. In the case of the working group of national experts, the review was aimed at current aspects of the policy and at those still not present, around five (5) dimensions: i) governance and effective coordination, ii) preparation and prevention , iii) awareness of the current situation. Iv) resilience, recovery and response, and v) effective cooperation and exchange of information. The international working group in turn issued recommendations focused in the need to: i) develop a global vision for Cybersecurity, ii) adopt a national approach in risk management, iii) establish a clear institutional framework, iv) establish a systematic process to involve all the stakeholders in the development of the strategy and its implementation; and v) adopt a policy for the protection and defense of the critical infrastructure, being aware of the need to strengthen the personnel capabilities as well as the physical, logical, legal and cooperation capabilities of the institutions. In conclusion, one can state that there is agreement on the need to incorporate new elements into the institutional structures, the legislation and the current actions, and to incorporate guidance and directives in relation to Human Rights and enforcement of the International Human Law in the cyberspace, so that an harmonic environment can be achieved on these areas in the country and an adequate coordination at international level. The proposals put forth led to the incorporation into the working groups of other government and private institutions, representatives of the academia, civil organizations, specialized companies and authorities in the matter, in order to enrich the proposed plan of action and verify that the strategic recommendations that were received were considered. 4.3. General problems
50 Based on the analysis performed by the national Government and the five problems described below, the conclusion is that in Colombia there is no clear vision around digital security and it is necessary to develop digital security related risk management, a situation that leads to conclude that the country does not have a reliable and safe digital environment, leading to the materialization of the risks associated to threats and incidents that attempt against the citizens´integrity, the Rule of Law, the exercise of fundamental rights, the national security and defense and consequently, against the country´s economic and social prosperity. Thus a need emerges to establish new digital security guidelines and directives taking into account components such as governance, education, cooperation, regulations, research, innovation, diplomacy, development, protection, security and defense of critical infrastructures, the State´s national interests among others, and focused on the citizens, the society in general, the Military Forces and the public and private sectors, so that the country has a social and economic structure in place that facilitates the achievement of the State´s goals. 4.3.1. Colombia makes limited efforts to address the digital security issues, as it does not have a clear and general, risk-based vision. The work framework established in CONPES 3701 dated 2011 was focused on the creation of an institutional framework led by the Ministry of National Defense that has conducted its functions and activities in an efficient manner. Although this effort has allowed an important positioning at international level around the matter, it is essential to strengthen the national Government´s leadership and build a new clear general vision under a comprehensive approach and in accordance with the best international practices to address the risks of digital security. This situation involves a change in the policy guidelines in force thus far. At present, the following evidence is presented in respect of the issue:  Colombia does not have an organization or entity responsible for national coordination in matters of digital security.  No Digital Security National Agenda has been designed that connects all the institutions of the public sector and all the stakeholders.
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital
Borrador 2 Documento Conpes - Seguridad Digital

Empfohlen

Mich_Cyber_Initiative_2015
Mich_Cyber_Initiative_2015Mich_Cyber_Initiative_2015
Mich_Cyber_Initiative_2015Rob Blackwell
 
Events publicity schedule as of 9-26-15
Events publicity schedule as of 9-26-15Events publicity schedule as of 9-26-15
Events publicity schedule as of 9-26-15Edythe Ann Quinn
 
Temas power point
Temas power pointTemas power point
Temas power pointdanny_de_brayan
 
RA_WhitePaper_RisksRewards_Rollins_2 15 16
RA_WhitePaper_RisksRewards_Rollins_2 15 16RA_WhitePaper_RisksRewards_Rollins_2 15 16
RA_WhitePaper_RisksRewards_Rollins_2 15 16Nita Rollins, Ph.D.
 
Weave
WeaveWeave
WeaveTrue
 
Theresa Certificate
Theresa CertificateTheresa Certificate
Theresa CertificateTheresa Mashini
 
Journal News Rich Liebson article FJ 6-27-15
Journal News Rich Liebson article FJ 6-27-15Journal News Rich Liebson article FJ 6-27-15
Journal News Rich Liebson article FJ 6-27-15Edythe Ann Quinn
 
Electronic dice
Electronic diceElectronic dice
Electronic diceAniket Thakur
 

Empfohlen

Mich_Cyber_Initiative_2015
Mich_Cyber_Initiative_2015Mich_Cyber_Initiative_2015
Mich_Cyber_Initiative_2015Rob Blackwell
 
Events publicity schedule as of 9-26-15
Events publicity schedule as of 9-26-15Events publicity schedule as of 9-26-15
Events publicity schedule as of 9-26-15Edythe Ann Quinn
 
Temas power point
Temas power pointTemas power point
Temas power pointdanny_de_brayan
 
RA_WhitePaper_RisksRewards_Rollins_2 15 16
RA_WhitePaper_RisksRewards_Rollins_2 15 16RA_WhitePaper_RisksRewards_Rollins_2 15 16
RA_WhitePaper_RisksRewards_Rollins_2 15 16Nita Rollins, Ph.D.
 
Weave
WeaveWeave
WeaveTrue
 
Theresa Certificate
Theresa CertificateTheresa Certificate
Theresa CertificateTheresa Mashini
 
Journal News Rich Liebson article FJ 6-27-15
Journal News Rich Liebson article FJ 6-27-15Journal News Rich Liebson article FJ 6-27-15
Journal News Rich Liebson article FJ 6-27-15Edythe Ann Quinn
 
Electronic dice
Electronic diceElectronic dice
Electronic diceAniket Thakur
 
Cyber Readiness Index 2.0
Cyber Readiness Index 2.0Cyber Readiness Index 2.0
Cyber Readiness Index 2.0Francesca Spidalieri
 
G7 ict industry final declaration
G7 ict industry final declarationG7 ict industry final declaration
G7 ict industry final declarationQuotidiano Piemontese
 
The Global Information Technology Report 2013
The Global Information Technology Report 2013The Global Information Technology Report 2013
The Global Information Technology Report 2013UnitedPac Saint Lucia (Conservative Movement)
 
National ict policy and strategy 2013 2018
National ict policy and strategy 2013 2018National ict policy and strategy 2013 2018
National ict policy and strategy 2013 2018UnitedPac Saint Lucia (Conservative Movement)
 
WSIS+10 Country Reporting - Bangladesh (People's Republic of)
WSIS+10 Country Reporting - Bangladesh (People's Republic of)WSIS+10 Country Reporting - Bangladesh (People's Republic of)
WSIS+10 Country Reporting - Bangladesh (People's Republic of)Dr Lendy Spires
 
ICT policy of Bangladesh.pdf
ICT policy of Bangladesh.pdfICT policy of Bangladesh.pdf
ICT policy of Bangladesh.pdfMd. Sajjat Hossain
 
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...The National Cyber Security Strategy 2016 to 2021 sets out the government's p...
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...at MicroFocus Italy ❖✔
 
G20 digital-economy-ministerial-declaration-english-version
G20 digital-economy-ministerial-declaration-english-versionG20 digital-economy-ministerial-declaration-english-version
G20 digital-economy-ministerial-declaration-english-versionThe World Bank
 
National_Cyber_Security_Strategy.pdf
National_Cyber_Security_Strategy.pdfNational_Cyber_Security_Strategy.pdf
National_Cyber_Security_Strategy.pdfAlexandre Pinheiro
 
ICT And Tourism Challenges And Opportunities
ICT And Tourism Challenges And OpportunitiesICT And Tourism Challenges And Opportunities
ICT And Tourism Challenges And OpportunitiesKimberly Williams
 
Aspects of information and communication technology (ict) developments in the...
Aspects of information and communication technology (ict) developments in the...Aspects of information and communication technology (ict) developments in the...
Aspects of information and communication technology (ict) developments in the...Alexander Decker
 
ICOCI2013: Keynotes 1
ICOCI2013: Keynotes 1ICOCI2013: Keynotes 1
ICOCI2013: Keynotes 1Syamsul Bahrin Zaibon
 
e-Government: Thoughts on Leveraging Technology for Organisational Excellence...
e-Government: Thoughts on Leveraging Technology for Organisational Excellence...e-Government: Thoughts on Leveraging Technology for Organisational Excellence...
e-Government: Thoughts on Leveraging Technology for Organisational Excellence...Chinenye Mba-Uzoukwu
 
Cómo facilitar la transformación digital- Según la OECD Cancun 2016
Cómo facilitar la transformación digital- Según la OECD Cancun 2016Cómo facilitar la transformación digital- Según la OECD Cancun 2016
Cómo facilitar la transformación digital- Según la OECD Cancun 2016Maite Vizcarra
 
Informe tecnología 2013
Informe tecnología 2013Informe tecnología 2013
Informe tecnología 2013TRB-2
 
The Global Information Technology Report 2013
The Global Information Technology Report 2013The Global Information Technology Report 2013
The Global Information Technology Report 2013WiseKnow Thailand
 
The Global Information Technology Report 2013
The Global Information Technology Report 2013The Global Information Technology Report 2013
The Global Information Technology Report 2013سعادة كرم
 
Ranking mundial de ciencia y tecnologia 2013
Ranking mundial de ciencia y tecnologia 2013Ranking mundial de ciencia y tecnologia 2013
Ranking mundial de ciencia y tecnologia 2013Luis Fernando Cantoral Benavides
 
Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...
Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...
Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...Vincent Mwando
 
UNICEF Turkey digital landscape exploratory paper
UNICEF Turkey digital landscape exploratory paperUNICEF Turkey digital landscape exploratory paper
UNICEF Turkey digital landscape exploratory paperAkshay Sinha
 
Preguntas frecuentes sector vivienda
Preguntas frecuentes sector viviendaPreguntas frecuentes sector vivienda
Preguntas frecuentes sector viviendaUrna de Cristal
 
Borrador decreto Gobierno Digital v6
Borrador decreto Gobierno Digital v6Borrador decreto Gobierno Digital v6
Borrador decreto Gobierno Digital v6Urna de Cristal
 

Weitere ähnliche Inhalte

Ähnlich wie Borrador 2 Documento Conpes - Seguridad Digital

WSIS+10 Country Reporting - Bangladesh (People's Republic of)
WSIS+10 Country Reporting - Bangladesh (People's Republic of)WSIS+10 Country Reporting - Bangladesh (People's Republic of)
WSIS+10 Country Reporting - Bangladesh (People's Republic of)Dr Lendy Spires
 
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...The National Cyber Security Strategy 2016 to 2021 sets out the government's p...
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...at MicroFocus Italy ❖✔
 
G20 digital-economy-ministerial-declaration-english-version
G20 digital-economy-ministerial-declaration-english-versionG20 digital-economy-ministerial-declaration-english-version
G20 digital-economy-ministerial-declaration-english-versionThe World Bank
 
National_Cyber_Security_Strategy.pdf
National_Cyber_Security_Strategy.pdfNational_Cyber_Security_Strategy.pdf
National_Cyber_Security_Strategy.pdfAlexandre Pinheiro
 
ICT And Tourism Challenges And Opportunities
ICT And Tourism Challenges And OpportunitiesICT And Tourism Challenges And Opportunities
ICT And Tourism Challenges And OpportunitiesKimberly Williams
 
Aspects of information and communication technology (ict) developments in the...
Aspects of information and communication technology (ict) developments in the...Aspects of information and communication technology (ict) developments in the...
Aspects of information and communication technology (ict) developments in the...Alexander Decker
 
e-Government: Thoughts on Leveraging Technology for Organisational Excellence...
e-Government: Thoughts on Leveraging Technology for Organisational Excellence...e-Government: Thoughts on Leveraging Technology for Organisational Excellence...
e-Government: Thoughts on Leveraging Technology for Organisational Excellence...Chinenye Mba-Uzoukwu
 
Cómo facilitar la transformación digital- Según la OECD Cancun 2016
Cómo facilitar la transformación digital- Según la OECD Cancun 2016Cómo facilitar la transformación digital- Según la OECD Cancun 2016
Cómo facilitar la transformación digital- Según la OECD Cancun 2016Maite Vizcarra
 
Informe tecnología 2013
Informe tecnología 2013Informe tecnología 2013
Informe tecnología 2013TRB-2
 
The Global Information Technology Report 2013
The Global Information Technology Report 2013The Global Information Technology Report 2013
The Global Information Technology Report 2013WiseKnow Thailand
 
The Global Information Technology Report 2013
The Global Information Technology Report 2013The Global Information Technology Report 2013
The Global Information Technology Report 2013سعادة كرم
 
Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...
Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...
Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...Vincent Mwando
 
UNICEF Turkey digital landscape exploratory paper
UNICEF Turkey digital landscape exploratory paperUNICEF Turkey digital landscape exploratory paper
UNICEF Turkey digital landscape exploratory paperAkshay Sinha
 

Ähnlich wie Borrador 2 Documento Conpes - Seguridad Digital (20)

Cyber Readiness Index 2.0
Cyber Readiness Index 2.0Cyber Readiness Index 2.0
Cyber Readiness Index 2.0
 
G7 ict industry final declaration
G7 ict industry final declarationG7 ict industry final declaration
G7 ict industry final declaration
 
The Global Information Technology Report 2013
The Global Information Technology Report 2013The Global Information Technology Report 2013
The Global Information Technology Report 2013
 
National ict policy and strategy 2013 2018
National ict policy and strategy 2013 2018National ict policy and strategy 2013 2018
National ict policy and strategy 2013 2018
 
WSIS+10 Country Reporting - Bangladesh (People's Republic of)
WSIS+10 Country Reporting - Bangladesh (People's Republic of)WSIS+10 Country Reporting - Bangladesh (People's Republic of)
WSIS+10 Country Reporting - Bangladesh (People's Republic of)
 
ICT policy of Bangladesh.pdf
ICT policy of Bangladesh.pdfICT policy of Bangladesh.pdf
ICT policy of Bangladesh.pdf
 
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...The National Cyber Security Strategy 2016 to 2021 sets out the government's p...
The National Cyber Security Strategy 2016 to 2021 sets out the government's p...
 
G20 digital-economy-ministerial-declaration-english-version
G20 digital-economy-ministerial-declaration-english-versionG20 digital-economy-ministerial-declaration-english-version
G20 digital-economy-ministerial-declaration-english-version
 
National_Cyber_Security_Strategy.pdf
National_Cyber_Security_Strategy.pdfNational_Cyber_Security_Strategy.pdf
National_Cyber_Security_Strategy.pdf
 
ICT And Tourism Challenges And Opportunities
ICT And Tourism Challenges And OpportunitiesICT And Tourism Challenges And Opportunities
ICT And Tourism Challenges And Opportunities
 
Aspects of information and communication technology (ict) developments in the...
Aspects of information and communication technology (ict) developments in the...Aspects of information and communication technology (ict) developments in the...
Aspects of information and communication technology (ict) developments in the...
 
ICOCI2013: Keynotes 1
ICOCI2013: Keynotes 1ICOCI2013: Keynotes 1
ICOCI2013: Keynotes 1
 
e-Government: Thoughts on Leveraging Technology for Organisational Excellence...
e-Government: Thoughts on Leveraging Technology for Organisational Excellence...e-Government: Thoughts on Leveraging Technology for Organisational Excellence...
e-Government: Thoughts on Leveraging Technology for Organisational Excellence...
 
Cómo facilitar la transformación digital- Según la OECD Cancun 2016
Cómo facilitar la transformación digital- Según la OECD Cancun 2016Cómo facilitar la transformación digital- Según la OECD Cancun 2016
Cómo facilitar la transformación digital- Según la OECD Cancun 2016
 
Informe tecnología 2013
Informe tecnología 2013Informe tecnología 2013
Informe tecnología 2013
 
The Global Information Technology Report 2013
The Global Information Technology Report 2013The Global Information Technology Report 2013
The Global Information Technology Report 2013
 
The Global Information Technology Report 2013
The Global Information Technology Report 2013The Global Information Technology Report 2013
The Global Information Technology Report 2013
 
Ranking mundial de ciencia y tecnologia 2013
Ranking mundial de ciencia y tecnologia 2013Ranking mundial de ciencia y tecnologia 2013
Ranking mundial de ciencia y tecnologia 2013
 
Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...
Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...
Vincent Ouma Mwando - strong encryption and protection of human rights-the vi...
 
UNICEF Turkey digital landscape exploratory paper
UNICEF Turkey digital landscape exploratory paperUNICEF Turkey digital landscape exploratory paper
UNICEF Turkey digital landscape exploratory paper
 

Mehr von Urna de Cristal

Preguntas frecuentes sector vivienda
Preguntas frecuentes sector viviendaPreguntas frecuentes sector vivienda
Preguntas frecuentes sector viviendaUrna de Cristal
 
Borrador decreto Gobierno Digital v6
Borrador decreto Gobierno Digital v6Borrador decreto Gobierno Digital v6
Borrador decreto Gobierno Digital v6Urna de Cristal
 
Guia consulta publica 2017
Guia consulta publica 2017Guia consulta publica 2017
Guia consulta publica 2017Urna de Cristal
 
Informes ejercicios de participación 2016
Informes ejercicios de participación 2016Informes ejercicios de participación 2016
Informes ejercicios de participación 2016Urna de Cristal
 
Cómo potenciar las estrategias de Gobierno a través del Inbound Marketing
Cómo potenciar las estrategias de Gobierno a través del Inbound MarketingCómo potenciar las estrategias de Gobierno a través del Inbound Marketing
Cómo potenciar las estrategias de Gobierno a través del Inbound MarketingUrna de Cristal
 
Estrategia de comunicación digital de la Presidencia de Chile
Estrategia de comunicación digital de la Presidencia de Chile Estrategia de comunicación digital de la Presidencia de Chile
Estrategia de comunicación digital de la Presidencia de Chile Urna de Cristal
 
Daniel Quintero, Viceministro Economía Digital dice #Gracias - Encuentro de E...
Daniel Quintero, Viceministro Economía Digital dice #Gracias - Encuentro de E...Daniel Quintero, Viceministro Economía Digital dice #Gracias - Encuentro de E...
Daniel Quintero, Viceministro Economía Digital dice #Gracias - Encuentro de E...Urna de Cristal
 
Urna_informe_campaña_acuerdos_de_paz
Urna_informe_campaña_acuerdos_de_pazUrna_informe_campaña_acuerdos_de_paz
Urna_informe_campaña_acuerdos_de_pazUrna de Cristal
 
Requisitos sello gel servicios y datos abiertos
Requisitos sello gel servicios y datos abiertosRequisitos sello gel servicios y datos abiertos
Requisitos sello gel servicios y datos abiertosUrna de Cristal
 
Texto Acuerdo Final para la Terminación del Conflicto y la Construcción de un...
Texto Acuerdo Final para la Terminación del Conflicto y la Construcción de un...Texto Acuerdo Final para la Terminación del Conflicto y la Construcción de un...
Texto Acuerdo Final para la Terminación del Conflicto y la Construcción de un...Urna de Cristal
 
Acuerdo Final para la Terminación del Conflicto y la Construcción de una Paz ...
Acuerdo Final para la Terminación del Conflicto y la Construcción de una Paz ...Acuerdo Final para la Terminación del Conflicto y la Construcción de una Paz ...
Acuerdo Final para la Terminación del Conflicto y la Construcción de una Paz ...Urna de Cristal
 
Abce mecanismos de participación
Abce mecanismos de participaciónAbce mecanismos de participación
Abce mecanismos de participaciónUrna de Cristal
 
Informe #la pazesunanota
Informe #la pazesunanotaInforme #la pazesunanota
Informe #la pazesunanotaUrna de Cristal
 
Linea de tiempo paz 2016
Linea de tiempo paz 2016Linea de tiempo paz 2016
Linea de tiempo paz 2016Urna de Cristal
 
Comentarios política de seguridad digital
Comentarios política de seguridad digitalComentarios política de seguridad digital
Comentarios política de seguridad digitalUrna de Cristal
 

Mehr von Urna de Cristal (20)

Preguntas frecuentes sector vivienda
Preguntas frecuentes sector viviendaPreguntas frecuentes sector vivienda
Preguntas frecuentes sector vivienda
 
Borrador decreto Gobierno Digital v6
Borrador decreto Gobierno Digital v6Borrador decreto Gobierno Digital v6
Borrador decreto Gobierno Digital v6
 
Abc politica criminal
Abc politica criminalAbc politica criminal
Abc politica criminal
 
Guia versión final
Guia versión finalGuia versión final
Guia versión final
 
Guia consulta publica 2017
Guia consulta publica 2017Guia consulta publica 2017
Guia consulta publica 2017
 
Informes ejercicios de participación 2016
Informes ejercicios de participación 2016Informes ejercicios de participación 2016
Informes ejercicios de participación 2016
 
Cómo potenciar las estrategias de Gobierno a través del Inbound Marketing
Cómo potenciar las estrategias de Gobierno a través del Inbound MarketingCómo potenciar las estrategias de Gobierno a través del Inbound Marketing
Cómo potenciar las estrategias de Gobierno a través del Inbound Marketing
 
Estrategia de comunicación digital de la Presidencia de Chile
Estrategia de comunicación digital de la Presidencia de Chile Estrategia de comunicación digital de la Presidencia de Chile
Estrategia de comunicación digital de la Presidencia de Chile
 
Daniel Quintero, Viceministro Economía Digital dice #Gracias - Encuentro de E...
Daniel Quintero, Viceministro Economía Digital dice #Gracias - Encuentro de E...Daniel Quintero, Viceministro Economía Digital dice #Gracias - Encuentro de E...
Daniel Quintero, Viceministro Economía Digital dice #Gracias - Encuentro de E...
 
Plandecenal brochure
Plandecenal brochurePlandecenal brochure
Plandecenal brochure
 
Urna_informe_campaña_acuerdos_de_paz
Urna_informe_campaña_acuerdos_de_pazUrna_informe_campaña_acuerdos_de_paz
Urna_informe_campaña_acuerdos_de_paz
 
Requisitos sello gel servicios y datos abiertos
Requisitos sello gel servicios y datos abiertosRequisitos sello gel servicios y datos abiertos
Requisitos sello gel servicios y datos abiertos
 
Texto Acuerdo Final para la Terminación del Conflicto y la Construcción de un...
Texto Acuerdo Final para la Terminación del Conflicto y la Construcción de un...Texto Acuerdo Final para la Terminación del Conflicto y la Construcción de un...
Texto Acuerdo Final para la Terminación del Conflicto y la Construcción de un...
 
Acuerdo Final para la Terminación del Conflicto y la Construcción de una Paz ...
Acuerdo Final para la Terminación del Conflicto y la Construcción de una Paz ...Acuerdo Final para la Terminación del Conflicto y la Construcción de una Paz ...
Acuerdo Final para la Terminación del Conflicto y la Construcción de una Paz ...
 
Agenda teletrabajo
Agenda teletrabajoAgenda teletrabajo
Agenda teletrabajo
 
Abce mecanismos de participación
Abce mecanismos de participaciónAbce mecanismos de participación
Abce mecanismos de participación
 
Informe #la pazesunanota
Informe #la pazesunanotaInforme #la pazesunanota
Informe #la pazesunanota
 
Linea de tiempo paz 2016
Linea de tiempo paz 2016Linea de tiempo paz 2016
Linea de tiempo paz 2016
 
Línea de tiempo paz
Línea de tiempo pazLínea de tiempo paz
Línea de tiempo paz
 
Comentarios política de seguridad digital
Comentarios política de seguridad digitalComentarios política de seguridad digital
Comentarios política de seguridad digital
 

Kürzlich hochgeladen

productionpost-productiondiary-240320114322-5004daf6.pptx
productionpost-productiondiary-240320114322-5004daf6.pptxproductionpost-productiondiary-240320114322-5004daf6.pptx
productionpost-productiondiary-240320114322-5004daf6.pptxHenryBriggs2
 
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
Action Toolkit - Earth Day 2024 - April 22nd.
Action Toolkit - Earth Day 2024 - April 22nd.Action Toolkit - Earth Day 2024 - April 22nd.
Action Toolkit - Earth Day 2024 - April 22nd.Christina Parmionova
 
call girls in Mayur Vihar Phase III DELHI 🔝 >༒9540349809 🔝 genuine Escort Ser...
call girls in Mayur Vihar Phase III DELHI 🔝 >༒9540349809 🔝 genuine Escort Ser...call girls in Mayur Vihar Phase III DELHI 🔝 >༒9540349809 🔝 genuine Escort Ser...
call girls in Mayur Vihar Phase III DELHI 🔝 >༒9540349809 🔝 genuine Escort Ser...saminamagar
 
call girls in sector 24 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in sector 24 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in sector 24 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in sector 24 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
call girls in Mukherjee Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in Mukherjee Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...call girls in Mukherjee Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in Mukherjee Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...saminamagar
 
call girls in moti bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in moti bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in moti bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in moti bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
call girls in Yamuna Pushta DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Yamuna Pushta DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Yamuna Pushta DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Yamuna Pushta DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
Call Girls Near Surya International Hotel New Delhi 9873777170
Call Girls Near Surya International Hotel New Delhi 9873777170Call Girls Near Surya International Hotel New Delhi 9873777170
Call Girls Near Surya International Hotel New Delhi 9873777170Sonam Pathan
 
call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...saminamagar
 
Swachh Bharat Abhiyan: Transforming India Towards a Cleaner Future
Swachh Bharat Abhiyan: Transforming India Towards a Cleaner FutureSwachh Bharat Abhiyan: Transforming India Towards a Cleaner Future
Swachh Bharat Abhiyan: Transforming India Towards a Cleaner FutureAnkitRaj274827
 
call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
办理约克大学毕业证成绩单|购买加拿大文凭证书
办理约克大学毕业证成绩单|购买加拿大文凭证书办理约克大学毕业证成绩单|购买加拿大文凭证书
办理约克大学毕业证成绩单|购买加拿大文凭证书zdzoqco
 
call girls in Model Town DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Model Town DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Model Town DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Model Town DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
Call Girl Benson Town - Phone No 7001305949 For Ultimate Sexual Urges
Call Girl Benson Town - Phone No 7001305949 For Ultimate Sexual UrgesCall Girl Benson Town - Phone No 7001305949 For Ultimate Sexual Urges
Call Girl Benson Town - Phone No 7001305949 For Ultimate Sexual Urgesnarwatsonia7
 
2024: The FAR, Federal Acquisition Regulations - Part 25
2024: The FAR, Federal Acquisition Regulations - Part 252024: The FAR, Federal Acquisition Regulations - Part 25
2024: The FAR, Federal Acquisition Regulations - Part 25JSchaus & Associates
 
call girls in Vasant Kunj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vasant Kunj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Vasant Kunj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vasant Kunj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 
Angels_EDProgrammes & Services 2024.pptx
Angels_EDProgrammes & Services 2024.pptxAngels_EDProgrammes & Services 2024.pptx
Angels_EDProgrammes & Services 2024.pptxLizelle Coombs
 
call girls in Laxmi Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Laxmi Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Laxmi Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Laxmi Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️saminamagar
 

Kürzlich hochgeladen (20)

productionpost-productiondiary-240320114322-5004daf6.pptx
productionpost-productiondiary-240320114322-5004daf6.pptxproductionpost-productiondiary-240320114322-5004daf6.pptx
productionpost-productiondiary-240320114322-5004daf6.pptx
 
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Mehrauli DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
Action Toolkit - Earth Day 2024 - April 22nd.
Action Toolkit - Earth Day 2024 - April 22nd.Action Toolkit - Earth Day 2024 - April 22nd.
Action Toolkit - Earth Day 2024 - April 22nd.
 
call girls in Mayur Vihar Phase III DELHI 🔝 >༒9540349809 🔝 genuine Escort Ser...
call girls in Mayur Vihar Phase III DELHI 🔝 >༒9540349809 🔝 genuine Escort Ser...call girls in Mayur Vihar Phase III DELHI 🔝 >༒9540349809 🔝 genuine Escort Ser...
call girls in Mayur Vihar Phase III DELHI 🔝 >༒9540349809 🔝 genuine Escort Ser...
 
call girls in sector 24 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in sector 24 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in sector 24 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in sector 24 Gurgaon 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Narela DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
call girls in Mukherjee Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in Mukherjee Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...call girls in Mukherjee Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
call girls in Mukherjee Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝...
 
call girls in moti bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in moti bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in moti bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in moti bagh DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
call girls in Yamuna Pushta DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Yamuna Pushta DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Yamuna Pushta DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Yamuna Pushta DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
Call Girls Near Surya International Hotel New Delhi 9873777170
Call Girls Near Surya International Hotel New Delhi 9873777170Call Girls Near Surya International Hotel New Delhi 9873777170
Call Girls Near Surya International Hotel New Delhi 9873777170
 
call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in West Patel Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
 
Swachh Bharat Abhiyan: Transforming India Towards a Cleaner Future
Swachh Bharat Abhiyan: Transforming India Towards a Cleaner FutureSwachh Bharat Abhiyan: Transforming India Towards a Cleaner Future
Swachh Bharat Abhiyan: Transforming India Towards a Cleaner Future
 
call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Tilak Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
办理约克大学毕业证成绩单|购买加拿大文凭证书
办理约克大学毕业证成绩单|购买加拿大文凭证书办理约克大学毕业证成绩单|购买加拿大文凭证书
办理约克大学毕业证成绩单|购买加拿大文凭证书
 
call girls in Model Town DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Model Town DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Model Town DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Model Town DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
Call Girl Benson Town - Phone No 7001305949 For Ultimate Sexual Urges
Call Girl Benson Town - Phone No 7001305949 For Ultimate Sexual UrgesCall Girl Benson Town - Phone No 7001305949 For Ultimate Sexual Urges
Call Girl Benson Town - Phone No 7001305949 For Ultimate Sexual Urges
 
2024: The FAR, Federal Acquisition Regulations - Part 25
2024: The FAR, Federal Acquisition Regulations - Part 252024: The FAR, Federal Acquisition Regulations - Part 25
2024: The FAR, Federal Acquisition Regulations - Part 25
 
call girls in Vasant Kunj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vasant Kunj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Vasant Kunj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vasant Kunj DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 
Angels_EDProgrammes & Services 2024.pptx
Angels_EDProgrammes & Services 2024.pptxAngels_EDProgrammes & Services 2024.pptx
Angels_EDProgrammes & Services 2024.pptx
 
call girls in Laxmi Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Laxmi Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️call girls in Laxmi Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
call girls in Laxmi Nagar DELHI 🔝 >༒9540349809 🔝 genuine Escort Service 🔝✔️✔️
 

Borrador 2 Documento Conpes - Seguridad Digital

  • 1. Documento CONPES CONSEJO NACIONAL DE POLÍTICA ECONÓMICA Y SOCIAL REPÚBLICA DE COLOMBIA DEPARTAMENTO NACIONAL DE PLANEACIÓN POLITICA NACIONAL DE SEGURIDAD DIGITAL Ministerio de Tecnologías de la Información y las Comunicaciones Ministerio de Defensa Nacional Ministerio de Justicia y del Derecho Ministerio de Relaciones Exteriores Ministerio de Comercio, Industria y Turismo Ministerio del Interior Ministerio de Hacienda y Crédito Público Ministerio de Ambiente y Desarrollo Sostenible Ministerio de Agricultura y Desarrollo Rural Ministerio de Educación Nacional Ministerio de Salud y de la Protección Social Ministerio de Trabajo Ministerio de Minas y Energía Ministerio de Cultura Ministerio de Transporte Ministerio de Vivienda, Ciudad y Territorio Departamento Nacional de Planeación Departamento Administrativo de la Presidencia Departamento Administrativo de la Función Pública Departamento Administrativo Nacional de Estadística Departamento Administrativo Nacional de la Economía Solidaria Borrador 2 - 22/01/2016 0000
  • 3. 3 CONSEJO NACIONAL DE POLÍTICA ECONÓMICA Y SOCIAL CONPES Juan Manuel Santos Calderón Presidente de la República Germán Vargas Lleras Vicepresidente de la República María Lorena Gutiérrez Botero Ministra de la Presidencia Juan Fernando Cristo Bustos Ministro del Interior María Ángela Holguín Cuéllar Ministra de Relaciones Exteriores Mauricio Cárdenas Santamaría Ministro de Hacienda y Crédito Público Yesid Reyes Alvarado Ministro de Justicia y del Derecho Luis Carlos Villegas Echeverri Ministro de Defensa Nacional Aurelio Iragorri Valencia Ministro de Agricultura y Desarrollo Rural Alejandro Gaviria Uribe Ministro de Salud y Protección Social Luis Eduardo Garzón Ministro de Trabajo Tomás González Estrada Ministro de Minas y Energía Cecilia Álvarez-Correa Ministra de Comercio, Industria y Turismo Gina Parody d'Echeona Ministra de Educación Nacional Gabriel Vallejo López Ministro de Ambiente y Desarrollo Sostenible Luis Felipe Henao Cardona Ministro de Vivienda, Ciudad y Territorio David Luna Sánchez Ministro de Tecnologías de la Información y las Comunicaciones Natalia Abello Vives Ministra de Transporte Mariana Garcés Córdoba Ministra de Cultura Simón Gaviria Muñoz Director General del Departamento Nacional de Planeación Luis Fernando Mejía Alzate Sector Sub-director and Secretario Técnico del CONPES Manuel Fernando Castro Quiroz Sub-director of Territorial and Public Investment
  • 4. 4 Resumen ejecutivo The massive growth in the use of Information and Communication Technologies (i.e. ICT) in Colombia, as well as the increasing services available online and the growing participation of society in economic and social activities in the digital environment have transformed the life of each and every one of the Colombians; however, the use of the digital environment poses risks inherent to the digital security and must be managed. In just one day (7 January 2016), the incident response consulting services company Intel Security Foundstone monitored in total 8128 digital security incidents in Colombia. As a result of the issuance of CONPES document 3701 dated 2011, Policy Guidelines for Cybersecurity and Cyberdefense, institutions were implemented in the country which have been performing their functions and activities in an efficient manner headed by the Ministry of National Defense. Although this effort has allowed an important positioning at international level around the matter, it is essential to strengthen the national Government´s leadership and build a new clear general vision under a comprehensive approach and in accordance with the best international practices to address the risks of digital security. This situation involves a change in the policy guidelines in force thus far. This CONPES document puts forth a National Policy for Digital Security that articulates a clear general vision, supported by the highest level of the Government, under an efficient institutional model that involves each and every one of the stakeholders, these being the same national Government, the public and private organizations, the academia and the civil society. This policy clearly differentiates the economic and social prosperity objectives from the country´s defense and crime and delinquency fighting objectives in the digital environment, and it focuses on the implementation of a set of fundamental principles performing a series of specific actions under some strategic dimensions, around the management of risks in digital security. With respect to the economic and social prosperity objective, this policy addresses the digital security risk as an economic and social challenge, creating conditions for all the stakeholders to manage the digital security risk in their economic and social activities, promoting trust in the digital environment as a means to achieve the objectives of the National Development Plan 2014-2018 “All for a new country– Peace, Equality and Education” as well as of the Vive Digital Plan 2014-2018. To implement this policy, an action plan has been built involving a total investment of $xxxx.
  • 5. 5 The results expected from adopting and implementing the National Policy for Digital Security, is that Colombia: i) strengthens the institutional, regulatory, administrative and management capability in order to address the digital security issues from the highest level, raising awareness among and training all the stakeholders, ii) builds a national strategy for digital security that generates trust and promotes the use of the digital environment in line with its fundamental values, and develops an efficient cooperation model involving all the stakeholders in the framework of the digital security risk management in order to maximize the economic and social benefits in all the economic sectors, iii) protects the fundamental rights and the economic and social activities that its citizens perform in the digital environment, increases the fight against crime and delinquency in the digital environment and implements assistance mechanisms for victims of crimes in that environment, iv) ensures the defense of its fundamental interests and reinforces the digital security of its national critical infrastructures with a risk management approach, and v) participates actively at national and international level in the promotion of an open, stable and reliable digital environment, and in the cooperation, collaboration and assistance with respect to the management of digital security risks. Lastly, it is estimated that the implementation of the National Policy for Digital Security by 2020 shall have a positive impact on Colombia´s economy, generating by 2016 approximately 307.000 jobs and an approximate growth of 0,1% in the average annual variation rate of the Gross Domestic Product (GDP), without generating inflationary pressures. Clasificación: Palabras clave: Digital Security, Cyberdefense, Cybersecurity, Risk Management, Digital Environment, Digital Economy, Economic and Social Prosperity, Computer Threats, Capabilities, Coordination, Strengthening, Leadership, Critical Infrastructure, Cyberspace, Cryptology, Diplomacy.
  • 6. 6 TABLE OF CONTENTS PAGE 1. INTRODUCTION ................................................................................................................10 2. HISTORY AND JUSTIFICATION ...................................................................................12 3. CONCEPTUAL FRAMEWORK ...............................................................................................36 4. ANALYSIS.........................................................................................................................44 4.1. Progress of the recommendations established in CONPES 3701 dated 2011......44 4.2. High-level working groups to analyze the status of the current policy..............48 4.3. General problems................................................................................49 4.3.1. Colombia makes limited efforts to address the digital security issues, as it does not have a clear and general, risk-based vision. ..........................................50
  • 7. 7 TABLE INDEX PAGE Table 2.1. Projections of some indicators of the ICT use worldwide ................................14 Table 2.2. Big incidents of digital securityin the world during 2014.................................20 Table 2.3. Estimated cost of malicious activities in the digital environment ...................26 Table 2.4. Economic impact of the ICT sector on Colombia´s economy between 2010 and 2014 (figures in pesos) .................................................................................................33 Table 2.5. Methods used by criminals in Colombia to obtain information of financial customers ..............................................................................................................................35 Table 3.1. International Regulatory Framework ................................................................37 Table 3.2. Percentage of organizations that apply risk-based digital security strategies ...............................................................................................................................................43 Table 4.1. National Regulatory Framework ........................................................................51 INDEX OF FIGURES PAGE Figure 2.1. Global development of ICT Services ..........................................................................13 Figure 2.2. Digital Economy Ecosystem ......................................................................................14 Figure 2.3. Industry digitization index in 2011 and 2012..............................................................15 Figure 2.4. Industry digitization index in the United States in 2015 ..............................................16 Figure 2.5. Compared economic impact of a country´s digitization and of the broadband and mobile telephony penetration ...............................................................................................................18 Figure 2.6. Participation of the ICT sector in the total added value of OECD countries in 2013 .......18 Figure 2.7. Labor productivity in the ICT sector and in the economy of the OECD countries in 2013 ...............................................................................................................................................19 Figure 2.8. Labor market in the ICT sector in OECD countries......................................................20 Figure 2.9. Global distribution of malware and infection risks in 2014...........................................21 Figure 2.10. Types of most common incidents of digital security in 2015 .....................................23 Figure 2.11. Evolution of malware worldwide to the third quarter of 2015 (cumulative) ................24 Figure 2.12. Breached sectors by number of exposed identities ...................................................24 Figure 2.13. Industries targeted by spear-phishing in 2014..........................................................25 Figure 2.14. Digital security incidents estimated annual cost for a typical organization per industry ...............................................................................................................................................25 Figure 2.15. Predictions of new types of threats in the digital environment in the future ..............27
  • 8. 8 Figure 2.16. Evolution of Internet subscribers in Colombia .........................................................29 Figure 2.17. Economic impact of digitization on Latin America (2005-2013) .................................31 Figure 2.18. Growth of the Gross Domestic Product and of the Post and Telecommunications activity 2010 - 2T 2015 (%) ......................................................................................................32 Figure 2.19. Trends of incidents in the digital environment in Colombia ........................................35 Figure 2.20. Cost of the malicious activity as % of the GDP in some countries in 2014 .................35 Figure 3.1. Evolution of the implementation of a digital security strategy in some countries .........40 Figure 3.2. Schematic summary of the OECD recommendations on Digital Security Risk Management ............................................................................................................................41 Figure 3.3. Principles put forth by the OECD for the building of a digital security risk management policy. ......................................................................................................................................42 Figure 3.4. Adoption of digital security strategies in organizations...............................................43
  • 9. 9 ACRONYMS AND ABBREVIATIONS CAI VIRTUAL: Command for Immediate Virtual Action of the National Police of Colombia CCOC: Joint Cyber Command of CGFM Colombia CCP: Police Cyber Center of the National Police of Colombia CGFM: General Command of the Military Forces of Colombia CICTE: Inter-American Committee Against Terrorism ColCERT: Cyber Emergency Response Group CONPES: National Council for Economic and Social Policy CRC: Communications Regulatory Commission. CSIRT: Computer Security Incident Response Team DANE: National Department of Statistics DIJIN: Criminal Investigation Directorate DNP: National Planning Department EUROPOL: European Police Office CI: Critical Infrastructure INTERPOL: International Criminal Police Organization CGEM: Computable General Equilibrium Model ICT MINISTRY: Ministry of Information and Communication Technologies OECD: Organization for Economic Cooperation and Development OAS: Organization of American States NATO: North Atlantic Treaty Organization AMP: Action and Monitoring Plan GDP: Gross Domestic Product ICT: Information and Communication Technologies ICU: International Telecommunication Union
  • 10. 10 1. INTRODUCTION The massive use growth of Information and Communication Technologies (ICT) in Colombia, reflected in the increase of 2.2 million Internet connections in 2010 to 12.2 million in 20151 , due to the large scale of telecommunications networks as the basis for any socio economic activity 2 and the increase of services available online 3 show a significant increment in the digital participation of citizens which, in turn, is translated into the existence of a digital life for the Colombian people. The massive use of the ICTs to conduct any socio economic activity has led to the development of a growing digital economy in the country, generating the need to establish mechanisms to guarantee the security of the individuals and their activities in the digital environment in the short, mid and long-term. For example, the digital security incidents on IT platforms of the defense sector managed by the CCOC increased by 73% between 2014 and 2015, while the country´s CCP has performed on average 330 arrests in 2014 and 2015, which shows a strong relation between the growth of this economy and the increase of the risks and uncertainties 4 to which people are exposed in the digital environment. 1 According to COLOMBIATIC (2015), this refers to broadband connections (Vive Digital) with a cut-off date to 30 September 2015. The target established in the National Development Plan 2014 – 2018 for 2018 is 27 million Internet connections. 2 According to the SFC (2015), the number of financial operations (monetary and non-monetary) in Colombia through Internet increased by 45% from 2012 to 2014 and through the Mobile Telephony channel by 252%. In the first quarter of 2015, Colombia´s financial system carried out 2.026 million operations for $3.237,8 billion pesos, of which 863 million were carried out through Internet (43% of the total) for an amount of $1.092,61 billion pesos (34% of the total). 3 According to the ICT Ministry´s Online Government Program, the percentage of Colombian citizens that use electronic means to i) obtain information, ii) perform proceedings, iii) obtain services, iv) submit requests, complaints or claims, or v) participate in the decision making process went from 30% in 2009 to 65% in 2014. This also reflected in the Colombian Companies namely 24% in 2009 to 81% in 2014 (http://estrategia.gobiernoenlinea.gov.co/623/w3-propertyvalue-7654.html). Additionally, the Colombian State portal offered in 2015 1.038 online proceedings (http://vive.gobiernoenlinea.gov.co/) 4 According to Intel Security (2014), the cost of malicious activities in the digital environment worldwide is estimated between 0,4% and 1,3% of the global GDP. This cost was approximately 0,14% of the GDP in 2014 for Colombia.
  • 11. 11 The development of a solid digital economy that contributes positively to the generation of economic and social prosperity in the country, requires the creation of an open, safe and reliable digital environment, in accordance with the increment and dynamics of the people´s digital activities. To that end, there must be a comprehensive and clear vision in respect of the digital security and the management of risks associated with threats and incidents that may attempt against the citizens´integrity, the rule of law, the exercise of fundamental rights, the national security and defense, the sovereignty and therefore, against the economic and social prosperity. Thus a need emerges to establish new digital security guidelines and directives taking into account components such as governance, education, regulations, cooperation, research and development, innovation, security and the defense of critical infrastructures, protection of the country´s sovereignty, and focused on the citizens, the society in general, the Military Forces and the public and private sectors, so that the country has a social and economic structure in place that facilitates the achievement of the State´s goals. Considering the aforementioned issues and the needs associated thereto, this document describes the guidelines to develop the Digital Security General Policy, whose intent is to ensure that the National Government, the public and private organizations, the academia and the civil society in Colombia, make massive and responsible use of an open, safe and reliable digital environment through the strengthening of its capabilities to identify, manage and mitigate the risks associated with the digital activities. To develop the Digital Security General Policy some unwavering fundamental principles are established, as well as some dimensions and strategic objectives which once mapped, result in a set of specific goals and actions that materialize said policy (see section 5). To prepare this document, the following input was taken mainly into consideration:  Recommendations issued in September 2015 by the Organization for Economic Cooperation and Development (OECD), in respect of digital security risk management.  Recommendations agreed during the international technical assistance missions and issued in April 2014 and in July 2015, which were sponsored by the Inter- American Committee Against Terrorism (CICTE) of the Organization of American
  • 12. 12 States (OAS), with experts of the governments of Canada, Spain, United States, Estonia, South Korea, Israel, United Kingdom, Dominican Republic and Uruguay, as well as representatives of international organizations such as the World Economic Forum, the OECD, NATO and INTERPOL.  Official statements and documents of the North Atlantic Treaty Organization (NATO) in respect of the good practices in the design of national digital security strategies.  Recommendations provided in 2014 and 2015 by national experts convened by the Ministry of Defense, Justice and Law and the Ministry of Information and Communication Technologies.  Recommendations from the work groups in 2014 and 2015, expanded with key players of the public and private sectors, the civil society organizations, the academia, the ICT industry and companies specialized in digital security in Colombia.  Recommendations from the work groups of the National Planning Department, the Ministry of Information and Communication Technologies, the Ministry of National Defense and other institutions related with digital security in Colombia, as well as from other stakeholders during the period between November 2015 and February 2016. This document is organized as follows, this section serving as introduction. The second section contains the background, the description and scaling of the current issues around digital security, allowing to establish the justification. The third section contains the conceptual framework, while the fourth presents an analysis of the issues identified. The fifth section sets out Colombia´s Digital Security National Policy, describing the fundamental principles, the strategic dimensions, the strategic objectives and the main goals with the actions to reach the core objective. Similarly, this section presents the timelines to track the implementation of this policy and its funding scheme. The sixth section presents a series of recommendations to implement the policy. Lastly, section seven to nine contain the glossary, the bibliography and the schedules, which include a detailed Action and Monitoring Plan (AMP). 2. HISTORY AND JUSTIFICATION This section presents the international and national landscape on the trends in the use of the ICTs as the basis for any socio economic activity, the resulting dynamics in the uncertainties of the digital security during the last years, and the importance of these
  • 13. 13 aspects for the development of a digital economy. Similarly, considerations are presented to formulate the Digital Security National Policy.  International landscape The swift evolution and adoption of technologies for any socio economic activity, the increasing use of those by all socio economic levels, the expansion of the telecommunications networks, and the convergence phenomenon in the provision of communications services, have marked the dynamics of this sector worldwide in recent years. Figure 2.1 shows the evolution of the global indicators on ICT services. For each one of these, an increasing evolution is observed overtime, showing that the ICT services are becoming more important for people. According to ITU (2015), a strong growth has taken place in the penetration of the mobile broadband sector, going from 12.6 subscribers per each 100 inhabitants in 2010 to an estimate of 47.2 in 2015, which reflects the greater availability of this type of services and the subsequent fall of prices, allowing access to more people, and the growing large scale and use of smart devices (smart phones and tablets). The individuals who use Internet and the households with Internet access have maintained a stable annual growth rates worldwide. We went from 29.2 individuals per each one hundred who used Internet in 2010 to an estimate of 43.4 in 2015, and 29,9 households with Internet access per each one hundred to an estimate of 46.6 in 2015. Figure 2.1. Global development of ICT Services Source: ITU (2015)
  • 14. 14 Similarly, the international trends show that the digital environment is dynamic and grows continuously. Table 2.1 shows the projections of this growth worldwide. It is estimated that in the next five years, the users of mobile broadband will grow by 33%, the terminals connected to Internet by 49%, the generated data in 400%, the network traffic by 132%, the Internet devices 1200% and the public cloud market 63%, these are aspects that show the increasing relation between the socio economic activities and the digital environment. Table 2.1. Projections of some indicators of the ICT use worldwide Projections 2015 2020 Increase in % More usersof mobilebroadband 3 billion 4 billion 33% More connectedterminals 16.3 billion 24.4 billion 49% More generateddata 8,8 zettabytes 44 zettabytes 400% More IP networktraffic (monthly) 72,4 exabytes 168 exabytes 132% Devices– Internet of Things 15 billion 200 billion * 1200% Size of the global public cloudmarket USD$97 billion USD$159 billion 63% Note: * to 2018. Source: Adapted of Intel Security Labs (2015a) As described thus far, worldwide the ICTs have become an important factor in nearly all aspects of the economic and social life of individuals, providing channels for education, labor productivity, social interaction, development of more inclusive businesses, democracy, financial transactions, public utilities, national security and defense and other interfaces between the key stakeholders in the digital environment. According to CEPAL (2014), a technology-based economy (digital economy) has been consolidated, which is a facilitator whose development and deployment takes place in an ecosystem characterized by a growing and accelerated convergence of various technologies, resulting in communication networks, hardware equipment, processing services and web technologies. Figure 2.2 shows an digital economy ecosystem model with three main components: the broadband network infrastructure, the ICT applications industry and the end users, with enabling platforms and an institutional basis. Figure 2.2. Digital Economy Ecosystem
  • 15. 15 Source: CEPAL (2014) It is widely acceptedthat the evolution and maturity of the digital economy ecosystem generates a positive impact on all the economic and social fields of society and on all the sectors of the economy. This is how a worldwide digitization process has been generated, resulting in financial benefits for the industries and the businesses that have been at the forefront of said trends, obtaining greater knowledge from their customers and achieving higher productivity and creating new business models. PwC (2011) designed an industry digitization index based on which it identifies the businesses that lead the digitization process such as the financial and insurance services industry, the automotive industry, the computer and electronic equipment industry, and the media and telecommunications industry. Similarly, it concludes that the digitization leading industries are moving fast, while the progress among those lagging remains relatively low. Figure 2.3. Industry digitization index in 2011 and 2012
  • 16. 16 Source: PwC (2011) and PwC (2012) McKinsey Global Institute (2015) also designed the Industry digitization Index in the United States where all economy sectors are analyzed through the lens of digital assets, digital use and digital workforce. The index shows that the US economy is digitizing unevenly, with large disparities between sectors. Beyond the ICT sector which often sets the highest standard of digitization, and in accord with PwC measurements (2011) and (2012), the communications, professional services and financial services are the economy sectors most highly digitized . The index also highlights where there is space to grow the digital capabilities. Public utilities, mining and manufacturing, for example are in the first phases of digitization and could be at the forefront of the next digitization wave. Additionally, the working capital industries such as retail and health care are expanding digital use, but a significant part of their big workforce does not use technology widely. Industries that heavily depend on workforce and localized labor, such as construction, entertainment and agriculture, tend to be less digitized. Figure 2.4. Industry digitization index in the United States in 2015
  • 17. 17 Source: McKinsey (2015) In this digitization process, the Internet is deemed as a platform on which each sector of the economy is supported and it is a driving shaft to achieve gains in productivity, competitiveness and economic growth. Katz (2015) concludes that both the digitization in a country as well as the increase of ICT penetration such as broadband or mobile telephony contribute positively to the growth of the countries´GDP. For example, an annual increase by 10% in the penetration of broadband in a medium-sized country of the OECD shall contribute to the country´s GDP annual growth by 0,29%, or an increase of 10% of the digitization index of one country would generate an increment of 0,75% in its GDP per capita.
  • 18. 18 Figure 2.5. Compared economic impact of a country´s digitization and of the broadband and mobile telephony penetration Source: Katz (2015a) Additionally, the participation of the ICTs in the total added value of the economy is significant and has remained stable worldwide. Figure 2.6, OECD (2015b) estimated that the ICT sector represented 5,5% of the total added value of the OECD countries (namely, around USD$ 2,4 billion dollars) in 2013. This percentage shows great variations between the countries, i.e. from 10,7% of the added value in Korea to less than 3% in Iceland and Mexico. Figure 2.6. Participation of the ICT sector in the total added value of OECD countries in 2013 Source: OECD (2015b)
  • 19. 19 Similarly, OECD (2015b) estimated that the labor productivity (added value per employed person) in the ICT sector for OECD countries was approximately USD$ 162.000 PPP5 , being 79% higher than the rest of the economy. Figure 2.7 shows the labor productivity estimates for said group where one can see that it varies from USD$ 200.000 PPP in the United States to USD$ 74.000 PPP in Hungary. Figure 2.7. Labor productivity in the ICT sector and in the economy of the OECD countries in 2013 Source: OECD (2015b) Employment in the ICT sector represents more than 14 million people in the OECD countries, nearly 3% of the total employment in said countries. Figure 2.8 shows the annual growth rates of employment in the ICT sector between 2001 and 2013, as well as a comparison of the percentage of employment of the ICT sector in respect of the total employment in said countries between 2011 and 2014. OECD (2015b) concludes that the contribution of the ICT sector to the growth of the total employment has varied significantly in the last fifteen years. In 2013, the ICT sector represented 22% of the total employment growth. Similarly, it concludes that while the employment in the ICT sector is stable, the employment of ICT specialists in all the sectors of the economy has increased, reaching at least 3% of the total employment in the majority of the OECD countries. 5 According to the OECD, the Purchasing Power Parity (PPP) is a currency conversion rate that is equal to the purchasing power of various currencies eliminating the differences in the levels of prices between the countries.
  • 20. 20 Figure 2.8. Labor market in the ICT sector in OECD countries Annual growth of ICT jobs % ICT jobs in respect of the total of 2011 and 2014 Source: OECD (2015b) Considering the foregoing, the increasing relevancy of the digital environment in the socio economic activities, and its high dynamism has brought about a set of joint risks, threats, vulnerabilities and incidents of various types, to which individuals and public and private organizations have been exposed. Table 2.2 summarizes some relevant cases of digital security incidents during 2014 worldwide, wherein one can observe their effect on any sector of the economy, with consequences that may impact negatively millions of people, and even billions of people in the world. Table 2.2. Big incidents of digital securityin the world during 2014 Month of 2014 Organization Sector Impact January SNAPCHAT Social network 4,5 million names and mobile numbers compromised February KICKSTARTER Crowd funding 5,6 million victims March KOREAN TELECOM Telecommunications 12 million subscriptions compromised April HEARTBLEED Software First of three open source vulnerabilities May EBAY Purchases Database of 145 million buyers compromised June PF CHANG´S Food Highest violation of high-level information of the month July ENERGETIC BEAR Power Cyber espionage operation in the energy industry August CYBERVOR Technology 1.2 million credentials compromised September iCLOUD Entertainment Celebrities accounts compromised October SANDWORM Technology Attack to Windows vulnerability November SONY PICTURES Entertainment Highest violation of high-level information of the year December INCEPTION FRAMEWORK Public Sector Cyber espionage operation in the public sector Source: Adapted from Verizon (2015)
  • 21. 21 Digital security incidents are generally based on some malicious software, designed to damage or illicitly use the information systems of the organizations. In particular, the malware6 is a type of software whose purpose is to infiltrate and damage a terminal or an information system without the users´authorization.. Figures 2.9 and 2.10 show the most common types of digital security incidents worldwide in 2014 and 2015, respectively, among which we can highlight the trojans, worms and viruses 7 . Phishing incidents are also highlighted as their intent is to acquire confidential information fraudulently. Figure 2.9. Global distribution of malware and infection risks in 2014 6 English term used for any malicious software. 7 The trojan is a malware presented to the user as a seemingly legitimate and harmless program, but when executed, it provides the attacker with a remote access to the infected terminal. The worm is a malware that has the ability to duplicate itself. The virus is a malware whose purpose is to alter the normal operation of the terminal, without the user´s permission or awareness.
  • 23. 23 Figure 2.10. Types of most common digital security incidents in 2015 Source: Ponemon Institute (2015) Today, the digital security incidents worldwide8 , have evolved and are more sophisticated to the point of being able to penetrate the security systems of government institutions, international organizations, private sector businesses and State´s critical infrastructure. According to Intel Security (2015b), incidents caused by malware have increased continuously in the last years, and the expectation is to go beyond five hundred million incidents in 2015. 8 According to the OAS (2014), “the current landscape in matters of cybernetic threats in Latin America and the Caribbean shows that users are suffering the impact of threats that can be seen as a global trend and other characteristics of each region As a aggravating factor, Latin America and the Caribbean have the fastest growing population of Internet users worldwide, with an increase of 12 percent in the last year” Said reported identified the main trends that impact the region: 1) Data breach is increasing, 2) Targeted attacks continue to increase, 3) social scams are increasing, 4) the malware increased, especially the bank trojans and thefts, and 5) mass events are very attractive for criminals.
  • 24. 24 Figure 2.11. Evolution of malware worldwide to the third quarter of 2015 (cumulative) Source: Intel Security Labs (2015b) Digital incidents not only show an increasing global trend, but also affect any sector of the economy. Figures 2.12 and 2.13, taken from the Internet security report 2015 of SYMANTEC (2015), show how various sectors of the economy are affected by one specific type of digital incident. Figure 2.12 shows the list of the ten sectors with more identity exposure incidents in 2014, where the retail and financial sector can be highlighted Figure 2.13 shows the ten sectors most affected in 2014 by “spear-phishing” incidents9 . Figure 2.12. Breached sectors by number of exposed identities 9 Fraud attempt through identity theft aimed at a specific organization, seeking non-authorized access to confidential data, likely carried out by attackers seeking profit, trade secrets or military information.
  • 25. 25 Source: Adapted from SYMANTEC (2015) Figure 2.13. Industries targeted by spear-phishing in 2014 Source: Adapted from SYMANTEC (2015) On the other hand, the digital security incidents also have direct impact on the finances of individuals and organizations. According to the Ponemon Institute (2015), the estimated annual cost caused by digital security incidents varies according to the affected economy sector. Figure 2.14 shows the digital security incidents estimated annual cost for 2015, where one can observe that for a typical organization of the financial sector the cost is nearly USD $13 million per year, while for the public sector it is approximately USD $6 million. Figure 2.14. Digital security incidents estimated annual cost for a typical organization per industry (millions of dollars per year)
  • 26. 26 Source: Ponemon Institute (2015) On the other hand, Intel Security (2013) estimated that the cost of malicious activities in the digital environment for 2013, including the losses of intellectual property and confidentiality of information, digital environment crimes, loss of strategic information, opportunity costs due to the reduction of trust in digital environment activities, additional insurance costs, and reputation loss for the attacked companies, were equivalent to an aggregated figure between USD $300 billion (equivalent to Singapore or Hong Kong´s GDP) and USD $1 billion (Mexico´s GDP) worldwide. Intel Security (2014) estimated that the approximate annual cost for the global economy of said malicious activities in 2014 was US$445 billion which is equivalent to 0,57% of the global GDP, including the profit for the criminal offenders as well as the security and recovery costs for the businesses. The conservative estimation was US$375 billion, while the maximum was estimated in US$575 billion. Given that the digital economy generated in 2014 between US$2 billion and $ 3 billion, Intel Security (2014) estimated that the cost of the malicious activity in the digital environment is equivalent between 15% to 20% of the value created by the Internet. Table 2.3. Estimated cost of malicious activities in the digital environment ITEM Estimated cost Percentage of the global GDP Piracy USD$1 billion to USD$16 billion 0,0012% to 0,02% Arms trafficking USD$600 billion 0,77%* Malicious activity in thedigital environment USD$300 billion to USD$1 trillion 0,4% to 1,3%
  • 27. 27 Note: * recalculated based on the World Bank´s GDP figures. Source: Adapted from Intel Security Labs (2013) On the other hand, according to Intel Security (2015b), 2015 has marked the beginning of a significant change towards new threats that are more difficult to detect, including fileless threats, encrypted infiltrations and stolen credentials, among others. Figure 2.15 shows the predictions of new types of threats in the digital environment, which represents a scenario of greater uncertainty in respect of global digital security. Figure 2.15. Predictions of new types of threats in the digital environment in the future Source: Adapted from Intel Security Labs (2015b) Other important aspect of digital security is that the associated risks point not only to databases or information systems, but also to the national physical infrastructure, such as hydro power stations, power networks, SCADA systems10 , port systems, defense systems, weapons of war, among others. To cite an example, terrorists could attempt to turn-off the collection of water of am hydro power plant or take the control of drones, weapons and guidance systems of the military forces to cause damage to the population or even to the very military facilities. A study conducted by Intel Security (2015c) on incidents in critical infrastructures, based on a survey held in 2015 among information security professionals of 625 global organizations show that nearly nine out of ten respondents have experienced at least one attack to their security systems in 2014, with an average of nearly twenty attacks per year. 10 English acronym for Supervisory Control And Data Acquisition. Control and monitoring system for remote industrial equipment that operates with coded signals over a communication channel
  • 28. 28 Additionally, more than 70% of the respondents thinks that the threats to their organizations are increasing and 48% thinks it is likely that an attacked to put out of operation the critical infrastructure can be accompanied by potential loss of life. Similarly, it has been proven that threats to critical infrastructure are a unquestionable reality and show an increasing trend. For example, more than 59% of the respondents indicated that the attacks resulted in physical damage and more than 33% led to service interruption. In addition to the foregoing, the OAS and Trend Micro (2015) conducted an online survey in January 2015 among the Security Leads of the main critical infrastructures of the Member States. Similarly, private organizations that manage the critical infrastructure of the countries were included. Among the main outcomes it was found that that 53% of the respondents observed an increment in the incidents in their computer systems during 2015 and that 76% of the respondents perceive that the incidents against the critical infrastructures are becoming more sophisticated. In this sense, they also concluded that the creators of the threats may be targeting the most vulnerable and critical infrastructures in the future. This leads to conclude that at international level the greater access and use of the digital environment to perform socio economic activities is generating a new digital economy with important social and economic impact in the countries. However, this new economic environment has brought along new types of threats and modalities of digital security incidents that demand more planning, prevention and attention by all the stakeholders(i.e. governments, public and private organizations, academia and civil society).  National overview In line with the international scene, Colombia has lived a digital revolution during the last decade, especially since 2010 through the implementation of the Live Digital Plan (Plan Vive Digital). According to the Ministry of Information and Communication Technologies,
  • 29. 29 in the country, the number of Internet connections increased five times going from 2,2 million in 2010 to 12,2 million in 2015.11 . Figure 2.16. Evolution of Internet subscribers in Colombia Source: DNP (2014a) Similarly, according to the ICT MINISTRY, currently in Colombia 1.078 out of the 1.123 municipalities are connected to the optical fiber backbone. Also worth highlighting is the implementation of 899 Vive Digital points, these are community access centers that provide education in the use of Internet to persons of strata 1 and 2 in the entire country, as well as 7.621 Vive Digital Kiosks, which are community access centers located in remote areas and and towns of more than 100 residents of rural Colombia. Similarly, the ICT MINISTRY (2015a) established that the National Government made the largest investment and donation of technology for public schools and colleges in the entire country: 2 millions of tablets and computers. And through the initiative called Apps.co, the largest entrepreneur network of Latin America was established (80.000 entrepreneurs) who are materializing their ICT-based business ideas. Today, 65% of the citizens interact through electronic means with government agencies performing more than four hundred procedures online. Therefore, the citizens and the businesses are more open and willing to interact with the State through the use of the ICT. 11 According to COLOMBIATIC (2015), this refers to broadband connections (Vive Digital) with a cut-off date to 30 September 2015. The target established in the National Development Plan 2014 – 2018 for 2018 is 27 million Internet connections.
  • 30. 30 Moreover, it is necessary to remember that Colombia currently has the National Development Plan “All for a new country” whose pillars are peace, equality and education for the period 2014 – 2018. For its execution, said plan is based on ICT supported cross- sectional strategies. For example, DNP (2014b) provides that with respect to the competitiveness and the strategic infrastructures, the plan sets forth the use of ICTs as platform to achieve high levels of equality and education improving competitiveness. Similarly, the ICTs are deemed as a cross-sectional component that is relevant in the development of all the other economic sectors of the country12 . As for social mobility, the objective of the plan is to close even more the gap in the access to education and improve its quality through the efficient use of ICTs. With regards to the transformation of the agricultural sector, the objective is to achieve rural competitiveness through the adoption and promotion of said technologies. In aspects such as justice, security and democracy to achieve peace, the pursuit is to guarantee access to all the citizens to all types of justice related services through the use of ICTs. The good government is achieved through the adequate use of the citizens information, ensuring its timely and efficient management, as well as through the building of a more transparent and open government. The green growth is aimed at achieving resilience and reducing the vulnerability in respect of the risk of disasters and the climate change, and all this must be supported by better and more integrated information systems. Colombia invests in the benefits generated by the use of ICTs because these are powerful tools that help transform the life of each and everyone of the Colombians 12 For example, the ICTs are considered as support to the electric sector of Colombia where the National Interconnected System (SIN) groups the different activities of the service provision chain , which are divided into: Generation system, National Transmission System (STN), Regional Transmission System (STR) and Local Distribution System (SDL). The SIN includes 98,9% of the installed generation in the country. Under this context, Colombia has made important progress in matters of automation of the STN and its integration with the generation systems located in different areas of the national territory, showing the use of the ICT infrastructure that supports the electric power system. Looking at the experience with the STN, the electric sector is ready to take the next step to continue the automation of the SDL, which has a network of 200.000 km of lines divided in more than 5.000 circuits with an average of nearly 100 transformers per circuit, which represent the challenge of achieving the automation of the electric network in the Colombian territory by 2030.
  • 31. 31 through the supply of more and better infrastructure that allows access to Internet in conjunction with the opportunities that are generated throughout the country, creating an ICT appropriation and adoption culture that promotes the country´s economic and social development. According to the Digital Evolution Index of Tufts University (2013), Colombia is one of the markets with the potential to develop strong digital economies, showing a consistent and impressive improvement of its digital preparation status. Katz (2015b) points out that the country went from being a “transitional digitization” country in 2013 to one of “advanced transitional digitization” in 2015, by showing adequate changes in the political and institutional context in respect of the ICT sector. At regional level, digitization in Latin America has contributed in US$ 195 billion dollars to the region´s GDP between 2005 and 2013. This means that the development of digitization generated approximately 4,3% accumulated growth to Latin America´s GDP. From Figure 2.17, Katz (2015b) estimated that digitization in Colombia contributed in USD$ 16 billion to the country´s GDP from 2005 to 2013, which represented 6,12% of the accumulated growth of the GDP in said period. Figure 2.17. Economic impact of digitization on Latin America (2005-2013) In US$ millions at current exchange rate % of the GDP that represents an increment of the GDP resulting from digitization ( %) Source: Adapted from Katz (2015a) This situation is in accord with the economic behavior of the ICT sector in the country over the last five years. Figure 2.18 shows the growth of the GDP and the GDP associated
  • 32. 32 to the Post and Telecommunications economic activity. However, there is a decrease of 1,8% in the second quarter of 2015, during the period 2010 to 2014 said branch showed positive growth rates, and in some cases above the economic growth rate. Figure 2.18. Growth of the Gross Domestic Product and of the Post and Telecommunications activity 2010 - 2T 2015 (%) Source: ICT MINISTRY (2015b) Between 2010 and 2014, according to numbers from the Annual Service Survey of the DANE, the ICT sector 13 had a participation of 24% of the total added value of Colombia´s economy in 2014. This means that the ICT sector is positioned as one of the sectors that generates more added value in the country. Table 2.4 shows that although the added value of the ICT sector grows at an annual average rate of 9% its participation in the total added value has decreased slightly since 2012. On the other hand, as for the consumption of intermediate goods, taking advantage of the production in the other sectors, the ICT sector grew 48% between 2010 and 2014. Said increase evidences that each year, the ICT sector behaves as a cross-sectional sector in Colombia´s economy, therefore influencing the growth of the other sectors. Similarly, the participation of the intermediate consumption of the ICT sector in the total intermediate consumption has increased reaching 33% in 2014. 13 The analysis of the ICT sector ´s economic impact on the Colombian economy between 2010 and 2014 based on the Annual Service Survey of the DANE displayed in Table 2.4 considers an approximate sample of 5.318 companies in Colombia (566 of the ICT sector) and deems the ICT sector in Colombia as a set of activities according to the CIIU classification 3 and 4 established by the United Nations (UN) as follows: i) Under CIIU classification 3 the activities: I3 Post and mail activities, I4 Telecommunications, O1 radio and television and news agencies activities and K2 computer and related activities, and ii) under the CIIU classification, the activities: H2 Post and Mail, J3 telecommunications activities, J2 Radio and television broadcasting and news agencies and J4 Computer and information services.
  • 33. 33 With regard to the productivity of the ICT sector, Table 2.4 shows that for each peso spent in the ICT sector in 2014, $1,6 pesos were generated as income or in other words $0,6 pesos as return. This taking into account that the survey of the DANE measures the productivity of the economic activities through the relation between income and intermediate consumption. It is worth to note that the productivity of the sector has decreased slightly since 2012. The labor productivity in the ICT sector for Colombia in 2014 was approximately $138.000 pesos, this one being 257% higher than the country´s total labor productivity. It is important to mention that the DANE calculates the labor productivity for each working person through the relation between the added value of the economic activity and the number of persons working in said activities. The ICT sectors ranks first on the list of activities with highest productivity levels per working person in 2014. Lastly, the contribution of the ICT sector to the growth of total employment in Colombia has increased slightly during the last five years. During said period, the employment annual growth rate in the ICT sector was 2%. Moreover, it can be concluded that the employment in the ICT sector accounted for 7% of the country´s total employment. Table 2.4. Economic impact of the ICT sector on Colombia´s economy between 2010 and 2014 (figures in pesos)
  • 34. 34 Source: ICT MINISTRY based on DANE´s Annual Service Survey (ASS) for 2010, 2011, 2012, 2013 and 2014 In addition to the foregoing, Colombia is making great efforts to reduce the digital gap, since more Internet is equivalent to less poverty and more productivity, and the development of the information infrastructure and its active use become a swift path for economic growth. Obviously, the country wants to seize these said opportunities and seeks to become a relevant player in the digital economy. But it is also understood that that this would not be possible if the citizens and the businesses do not trust the digital environment if there is no general and clear vision in place regarding digital security in the country. Although the increase of connectivity in Colombia has brought along countless benefits for the country, it has also contributed to an increment of threats, crimes and incidents in the digital environment that affect the security of citizens, public and private organizations, and even the infrastructures that are part of the nation´s interests. During the last few years, Colombia has been the focus of interest for several types of attackers. The attack techniques and vectors have improved bringing increased, and resulting in greater difficulty to timely detect them. CRC (2015) mentions that in Colombia, three specific trends of incidents have been identified, these are shown in Figure 2.19. Furthermore, Table 2.5 displays the methods used by criminals in Colombia to obtain the information of financial customers and identified by ASOBANCARIA (2015). 2010 2011 2012 2013 2014 Tasa de Crecimiento entre 2010 y 2014 Tasa de crecimiento promedio anual entre los años 2010 y 2014 Empresas Total 5343 5170 5427 5301 5351 0% 0% Empresas Sector TIC 576 552 563 558 579 1% 0% Empresas Sector TIC vs Empreas Total 10,8% 10,7% 10,4% 10,5% 10,8% Personal Ocupado Total 1364309 1415763 1493676 1595485 1705181 25% 6% Personal Ocupado Sector TIC 84576 85948 93000 105725 116221 37% 8% Personal Ocupado Sector TIC vs Personal Ocupado Total 6,2% 6,1% 6,2% 6,6% 6,8% 10% 2% Ingresos Total (miles de $corr.) 82.389.436.832$ 91.756.810.788$ 103.402.734.660$ 115.243.624.805$ 126.035.184.558$ 53% 11% Ingresos Sector TIC (miles de $ corr.) 25.091.681.684$ 28.017.099.021$ 30.604.072.934$ 34.411.551.510$ 37.769.880.923$ 51% 11% Ingresos Sector TIC vs Ingresos Total (%) 30,5% 30,5% 29,6% 29,9% 30,0% Ingresos Sector TIC por empresa (miles de $ corr.) 43.561.947$ 50.755.614$ 54.358.922$ 61.669.447$ 65.232.955$ 50% 11% Valor agregado Total (miles de $corr.) 43.076.868.441$ 48.857.194.019$ 55.278.004.839$ 61.419.292.334$ 65.745.558.538$ 53% 11% Valor agregado Sector TIC (miles de $ corr.) 11.315.515.483$ 12.646.287.222$ 14.192.750.788$ 15.640.944.849$ 16.008.414.582$ 41% 9% VA Sector TIC vs VA Total (%) 26,3% 25,9% 25,7% 25,5% 24,3% Consumo Intermedio Total (miles de $corr.) 37.060.840.194$ 40.202.277.869$ 44.925.214.151$ 49.991.809.439$ 55.543.342.122$ 50% 11% Consumo Intermedio Sector TIC (miles de $ corr.) 12.315.349.763$ 13.547.743.059$ 14.285.044.139$ 16.067.664.387$ 18.232.907.927$ 48% 10% CI Sector TIC vs CI Total (%) 33,2% 33,7% 31,8% 32,1% 32,8% Gastos de Personal Total (miles de $corr.) 27.989.926.902$ 30.521.312.413$ 34.889.923.521$ 37.879.397.772$ 41.487.367.815$ 48% 10% Gastos de Personal Sector TIC (miles de $ corr.) 3.420.469.121$ 3.863.365.433$ 4.423.222.526$ 5.029.288.455$ 5.499.769.526$ 61% 13% Gastos de Personal Sector TIC vs Gastos de Personal Total (%) 12,2% 12,7% 12,7% 13,3% 13,3% Productividad Total 1,27 1,30 1,30 1,31 1,30 3% 1% Productividad Total Sector TIC 1,59 1,61 1,64 1,63 1,59 0% 0% Productividad Laboral 31.574$ 34.509$ 37.008$ 38.496$ 38.556$ 22% 5% Productividad Laboral Sector TIC 133.791$ 147.139$ 152.610$ 147.940$ 137.741$ 3% 1% Remuneración Mensual 1.593$ 1.682$ 1.798$ 1.839$ 1.890$ 19% 4% Remuneración Mensual Sector TIC 2.937$ 3.320$ 3.487$ 3.559$ 3.588$ 22% 5%
  • 35. 35 Figure 2.19. Trends of incidents in the digital environment in Colombia Source: CRC (2015) Table 2.5. Methods used by criminals in Colombia to obtain information of financial customers Concept Description Phishing Criminalsforgethe institution´swebsitein orderto obtain personal andfinancialinformation (credit card numbersandpasswords) andvia electronic mail orpop-ups, they direct the clients toa forgedweb page where they request their information. Smishing This fraudulentpracticeuses text messagesi.e.SMS andsocial engineeringto deceive personsin order to obtain personal andfinancial information. Spy Software (Malware ortrojans) Criminalsusea software to monitor theactivities performed by thePC user. Similarly, they have access to the information that the user keys andto the contentsof his electronic mails. Key logger By using software or hardware, criminalsseekto recordthe texttypedby the users on their PCs. Cloning Copyingtheinformation containedmagnetic stripon debit andcredit cards. Source: ASOBANCARIA (2015) In relation with the costs of the country´s digital security incidents, on the one hand ISSS (2014) estimated that in Colombia, the cost of malicious activity in the digital environment for 2013 was approximately USD$ 464 million. On the other hand, Intel Security (2014) estimated that said cost for Colombia in 2014, was approximately 0,14% of the GDP. Figure 2.20. Cost of the malicious activity as % of the GDP in some countries in 2014
  • 36. 36 Source: Adapted from Intel Security (2014) In addition to the foregoing, based on the information provided Intel Security Foundstone, a consulting services company in the field of response to incidents, discovery of vulnerabilities and security strategy and in collaboration with Intel Security, reported on 7 January 2016 in the United States a total of 604.493 incidents and in Brazil 77.423, while in Colombia that number was 8.128. Having analyzed the international and national arena around the evolution of access to and use of ICTs in the digital environment, the conclusion is that Colombia is increasingly digital thanks to the efforts of the national Government through the implementation of effective sector policies that allow to promote the participation of the society in the economic and social activities in the digital environment. The country´s digitization generates economic growth and improvement of productivity and competitiveness. However, greater use of the digital environment entails greater risks and uncertainties. How to address them has been a topic of discussion at international level, because the conditions to execute said economic and social activities have been changing drastically. Therefore, the increase of incidents in the world and in the country generates impact on the digital economy that must be addressed under an updated vision around the matter. 3. CONCEPTUAL FRAMEWORK This section discusses the new trends in respect of defining digital security strategies or policies and the digital security risk management model based on best practices at international level around the matter, a model towards which the national Government must work.
  • 37. 37 According to the OECD (2015a), during the last ten years, the digital security incidents have increased generating a series of uncertainties and significant consequences for each and every one of the individuals and organizations. This situation has generated the issuance of an international regulatory framework, see Table 3.1, as well as an intense debate on how to address these incidents today. Table 3.1. International Regulatory Framework Instrument Matter Convention on Cybercrime of the Council of Europa – CCC (known as the Budapest Convention on Cybercrime) adopted in November2001 and in force since 1 July 2004) The main purpose ofthe convention is the adoption of a legislation that facilitatesthe prevention of criminal behavior and that contributes with effective tools in the penalfield to allow the detection, investigation and prosecution ofillegal behaviors. Only binding instrument on the matter at international level as well as its protocol to criminalize racist and xenophobic actions committed via computer systems. The Council deems that cybernetic crime demandsa common penalpolicy intended to prevent crime in the cyberspace and in particular, through the adoption ofa suitable legislation and the strengthening ofinternational cooperation.It is important to highlight thatalthough the CCC originatedat European regional level, it is an open instrumentfor adherence by all the countries ofthe world.Worth to note is thatColombia received an invitation of the Council of Europe to adhere tothe BudapestConvention as a result of a process started in 2011 with theenactment of CONPESdocument 3701,which requiredthe Ministry of Foreign Relationsto submit a formal request with theCouncilof Europa to invite Colombia to be part of the Budapest Convention. This way, on 20 September2013, the Council ofEurope´sCouncil of Ministers approved the invitation for Colombiato adhere totheBudapestConvention, andbe part of the additional protocol related with the criminalization of racism or xenophobic relatedactionscommittedthrough computer systems.Based on this decision, Colombia has five (5) years to adhere to the international instrument. Resolution AG /RES 2004 (XXXIV- O/04) of the General Assembly of the Organization of American States Comprehensive Strategy to Combat Threats to Cybersecurity Multidimensional andmultidisciplinary approach to creating a culture of cybersecurity It stipulates three avenues of action: i) Creation of an hemispheric network of Computer Security Incident Response Teams – CSIRT, assigned tothe Inter-American Committee against Terrorism – CICTE; ii) identification and adoption of technical standards for safe Internet architecture,a jobcarried out by the Inter-American Telecommunications Commission;and iii) adoption and/or adapting of the legal instruments necessary to protectInternetusersandinformation networks from criminals and organized criminal groups thatusethese means, under theresponsibility of Meeting of Ministers of Justice or of Ministers or Attorneys General of the Americas-REMJA.The Comprehensive Strategy is described in this AG/RES Resolution.2004 (XXXIV-O/04), approved at the plenary session of the thirty fourth periodof sessionsof theOAS General Assembly, held on 8 June 2004. To thisextent, the Resolutionshavea compliance level different from that generated by a Treaty or a Convention, because if a country member of the OAS has approvedthe Resolution by vote, it is expected that the country has the same commitment to comply with it. In this case, Colombia as a member of the General Assembly of the OAS signed this Resolution, and the binding force of the resolutions is reflected in the obligation ofthe countries to submit reportsandpresent results in relation with theagreements in saidresolutions.Moreover,Colombia as member of the Inter-American Committee Against Terrorism (CICTE) and of the Inter- American Inter-American Telecommunications Commission (CITEL), must be
  • 38. 38 Instrument Matter subject tothe Resolutions and recommendations issued by those bodies. Lastly, it is importantto consider that the OASResolutions do not have the bindingnatureof a treaty; however, the General Assembly is the supreme body of the OASandallits expressionshold high diplomatic political value. Decision 587 of the Andean Community dated 10 July 2004 Whereby the Guidelines for the External Security Policy of the Andean Community areestablishedObjectivesof saidpolicy are to prevent, combat and eradicate the new threats tothe security,and their interrelations, when appropriate,through cooperation andcoordination efforts to confront the challenges that such threats represent for the Andean Community.. Accordingto article 3 of theTreaty CreatingtheCourt ofJustice of the CAN, the legal schemeof the CAN is supranational, which is translated into the issuance of common laws or standards that have direct effect and are bindingin the member states as of their publication date in the Official Gazette of the Cartagena Agreement without the need to request prior approval by the NationalParliaments fortheir entry into force and effect in each one of the member states. Consensuson Cybersecurity of the International Telecommunications Union -ITU, within the United Nations, in execution of the Tunis action program for for information society 2005 It seeks to promotethe analysis ofpertinentinternational concepts intended to strengthen the security of global information and telecommunications systems. The Resolutions that the ITU may issueare bindingfor Colombia, as the constitution of the ITU andtheITU Convention were approved by means of Laws 252 dated 1995and873 dated 2004, as well as the subsequent amendments. Resolution 64/25 “Developments in the field of information and telecommunications in the context of international security”. United Nations General Assembly (UNGA). (2009) The GeneralAssembly exhorts allthemember states to continue promoting the multilateral analysis of real and potential threats in the information security fieldandpossible measuresto limitthe threatsthat may arisein that area, consistently with the need to preserve the free circulation of information.This Resolution follows the Assembly´s monitoring, with the Resolutions issued until 2 December 2008. The Resolutions of the UN General Assembly, such as those affecting budget, internal matters or instructions to lower-ranking bodies are binding, however, the recommendationsof the General Assembly and the Resolutions based on those are compliedto theextentthat theStatecan execute them according to its budget. Directive 2006/24 of the European Union Directive 2006/24 setforth theretention of data generated or processed in connection with the provision of publicly available electronic communications servicesor ofpublic communications networks, and served as the referenceenforced by themember states until 2014.This directive was declaredinvalidby theCourt ofJusticeof the European Union in April 2014 given thatit imposedto the memberstates the obligation to adopt in the internal legislations the retention of data transported over the communications traffic, as it deemed that said measure violates the fundamental rightsin respect ofprivate life andthe protection of personal data. Statement of Principles UNGA Resolutions: 55/63 and 56/121 Combating the criminal misuse of information technologies ; 57/239, 58/199 y 64/211 Creation of a global culture of cybersecurity andthe protection of criticalinformation infrastructures;World Summit on the Information Society (WSIS), Declaration of Principles and Agenda oftheTunis Phase (in particular the C5 line of action). These are generalstandards or principles that do not constitute rules and are not binding;however, these actionsor legal instruments without a mandatory natureare incardinatedin one way or another, in the source system of the International Law (Soft Law). National CyberSecurity Framework Manual of the NATO The NATO published in 2012 in collaboration with the OTAN Cooperative Cyber Defence Centre of Excellence, the manual for the formulation of national cybersecurity strategies for its member states.
  • 39. 39 Instrument Matter Wales Summit Declaration OTAN 2014 Official document of the outcome of the NATO Summit held in Cardiff (Wales) on 4 and 5 September 2014, where the agreements to address cybersecurity in the member states are highlighted Source: CRC (2015) Additionally, many multilateral organizations, such as the ITU 14 , OECD15 , NATO16 and OAS, as well as the private sector17 , have analyzed the approach to tackle the digital security matter under the current conditions of the digital environment, where it is put forth that the national strategies or policies around the matter should consider risk management, the Governments´ systematic leadership, a multidimensional approach, shared accountability and protection of national values. Figure 3.1 shows the evolution of the implementation of digital security strategies in various countries, some members of the OECD others not. 14 The International Telecommunications Union –ITU– is the United Nations (UN) organization specialized in telecommunications, responsible for regulating the telecommunications at international level among the various administrations and operating companies. ITU (2011) established as general principles of a national cybersecurity strategy, risk management, Governments´systematic leadership, multidimensional approach, shared responsibility and protection of national values. 15 OECD (2015b) highlights a new generation of national cybersecurity strategies under national policies with high-level leadership support within the national governments including all the society´s stakeholders with a holistic approach covering economic, social, technical, legal, educational, diplomatic, military aspects and those intelligence related. 16 The North Atlantic Treaty Organization –NATO– also called Atlantic or North Atlantic, is a military inter- government alliance based on the North Atlantic Treaty or the Treaty of Washington signed on 4 April 1949. According to the manual for the formulation of national cybersecurity strategies presented by NATO´s Center of Excellence for Cybersecurity Cooperation in CCDCOE (2012), one of the four trends in the formulation of national strategies, in particular those designed by the United States and by the United Kingdom, is the recognition that a diverse set of the threats and challenges requires a risk management based approach. Similarly, it highlights the importance that said strategies must deal with a set of dilemmas, among others: stimulate the economy versus improve national security. 17 The Information Technology Industry Council –ITI– is the global voice of the IT sector and gathers the most important ICT companies and organizations of the world. ITI (2011) and ITI (2012) recommend that a national cybersecurity strategy must be based on risk management and must be focused on awareness raising among and education of all the stakeholders in order to know how to reduce digital security risks, among others.
  • 40. 40 Figure 3.1. Evolution of the implementation of a digital security strategy in some countries Source: Adapted from Hernández (2014) Upon reviewing the different national polices or strategies around the matter, one can conclude that the national strategies for cybersecurity and cyberdefense have evolved towards national strategies for digital security. There was a shift from cybersecurity and cyberdefense strategy design focused mainly on objectives of national defense and national security (fight against crime and delinquency) in the digital environment, towards the design of strategies with a set of principles under a framework of digital security risk management, differentiating the objectives of economic and social prosperity from the country´s objectives in the field of defense and the fight against crime and delinquency in the digital environment. This is the position of the OECD, after more than two years of review and analysis of more than thirty years of experiences in respect of the way these incidents in the digital environment were addressed in the past and with regard to the objectives that the countries had targeted to achieve. As a result of said work, the OECD adopted on 17 September 2015, the Recommendations of the on Digital Security Risk Management for Economic and Social Prosperity. This document provides guides for the new generation of strategies in respect of digital security management with the purpose of optimizing the 2015 Estrategias con un conjunto de principios y que se enmarca en la gestión de riesgos de seguridad digital, distinguiendo los objetivos de prosperidad económica y social con los objetivos de defensa del país y de lucha contra el crimen y la delincuencia en el entorno digital. Francia 19/10/15 Estrategia Nacional de Seguridad Digital República Checa 16/02/15 Malta Irlanda 02/07/15 Islandia Portugal 28/05/15 Recomendaciones OECD sobre la gestión de riesgos de seguridad digital 17/09/15
  • 41. 41 economic and social benefits expected due to the conduct of activities in an open digital environment. The OECD´s recommendation puts forth to both the member states and to those who have not adhered to: i) implement a set of principles at all levels of the Government and of the public organizations, and ii) adopt a national strategy for digital security risk management. Figure 3.2 shows a summary of the OECD recommendations on Digital Security Risk Management where a set of eight principles is highlighted; four general and four operational, as well as a series of recommendations around the adoption of a strategy to manage digital risks. In general terms, it is recommended that the policy addresses the digital security risk as an economic and social challenge, creating conditions for all the stakeholders to manage digital security risks in their economic and social activities, promoting trust in the digital environment as a means to achieve the objectives. Figure 3.2. Schematic summary of the OECD recommendations on Digital Security Risk Management Source: ICT MINISTRY (2015b) Similarly, the recommendation is clear in advising that the policy that the countries design must articulates a general vision, supported by the highest level of the Government, under an efficient institutional model that involves each and every one of the stakeholders, these being the same national Government, the public and private organizations, the academia and the civil society. This national policy should clearly differentiate the Principios Generales Principios Operacionales Empoderamiento DDHH y valores fundamentales Responsabilidad Cooperación Gestión del riesgo cíclico Medidas de seguridad Innovación Preparación y continuidad Adoptar una estrategia nacional Que sea consistentecon los principios y cree condiciones para todos los stakeholders para gestionar el riesgo de seguridad digital en todas las actividades económicas y sociales Que incluya medidas que permitan al Gobierno adelantar una serie de acciones
  • 42. 42 economic and social prosperity objectives from the country´s objectives in the field of defense and the fight against crime and delinquency in the digital environment. Figure 3.3 shows the summary of the principles put forth by the OECD for the building of a digital security risk management policy. General principles are put forward such as: i) knowledge, capability and empowerment, ii) accountability, iii) human rights and fundamental values, and iv) cooperation. It also proposes operational principles, such as: i) risk assessment and treatment cycle, ii) security measures, iii) innovation, and iv) preparation and continuity. Figure 3.3. Principles put forth by the OECD for the building of a digital security risk management policy. Source: ICT MINISTRY (2015b) 1. Conocimiento, Capacidades y empoderamiento • Todas los actores deben entender los riesgos de seguridad digital. • Deben ser conscientesde que el riesgo de seguridad digitalpuede afectar el logro de sus objetivos económicos y sociales y que su puede afectar a otros. • Deben estar educadosy poseer las habilidades necesarias para entender el riesgo paraadministrarlo, y evaluarel impacto. 2. Responsabilidad • Los actores ​​deben asumir la responsabilidadde la gestión del riesgo de seguridad digital. • Deben actuar con responsabilidady rendir cuentas , sobre la base de sus funciones y su capacidad para actuar teniendoen cuenta el posibleimpacto de sus decisiones sobre los demás. • Deben reconocer que un cierto nivel de riesgo de seguridad digitaltiene que ser aceptadopara lograr los objetivoseconómicosy sociales 3.Derechos humanos y valores fundamentales • Los actores ​​deben gestionar los riesgos de seguridad digital de manera transparentey compatiblecon los derechos humanos y los valores fundamentales. • La gestión de riesgos de seguridad digital debe ser implementada compatiblecon la libertad de expresión,el libre flujo de la información , la confidencialidadde la información,la protección de la privacidad y los datos personales. • Las organizaciones deben tener una política general de transparencia acerca de sus prácticas y procedimientos para la gestión de riesgos de seguridad digital. 4.Cooperacion • Todaslas partes interesadas deben cooperar , incluso mas alláde sus fronteras . • La interrelaciónmundial crea interdependencias entre las partes interesadas y pide su cooperación • Debe tener lugar dentro de los gobiernos, las organizacionesprivadas y públicas, así como entre ellos con los individuos. • La cooperacióntambién debe extenderse a través de las fronterasa nivel regional e internacional 5. Evaluación de riesgos y ciclo de tratamiento • La evaluación de riesgos debe llevarse a cabo como de manera sistemática y continua •Deben evaluarselas posibles consecuencias de amenazas combinadas con vulnerabilidadesen las actividades económicas y sociales en juego. •El tratamiento del riesgo debería tener como objetivo reducir el riesgo a un nivel aceptable en relación con los beneficios económicos y sociales. •El tratamiento del riesgo incluye varias opciones : aceptar ,mitigar, transferir, evitar o una combinación. 6. Medidas de Seguridad •Los líderes y tomadores de decisiones deben asegurarse de que las medidas de seguridad son apropiadas y proporcionalesal riesgo. •La evaluación de riesgos de seguridad digital debe guiar la selección , operación y mejora de las medidas de seguridad para reducir el riesgo a niveles aceptables. •Las medidas de seguridad deberán ser apropiadasy proporcionalesal riesgo y deben tener en cuenta su potencial impacto negativo y positivo sobrelas actividades económicas y sociales que tienen por objeto proteger. 7. Innovación •Los líderes y tomadores de decisiones deben asegurarse de que la innovación sea considerada como parte integral de la reducción del riesgo de seguridad digital •Debe fomentarsetanto en el diseño y funcionamiento de la economía y las actividades sociales basadas en el entorno digital , así como en el diseño y el desarrollo de las medidas de seguridad . 8. Preparación y continuidad •Los líderes deben asegurarse de que se adopten planes de continuidad. •Para reducir los efectos adversos de los incidentes de seguridad , y apoyarla continuidad y la capacidad de recuperación de las actividades económicas y sociales deben adoptarsepreparaciones y planes de continuidad. •El plan debe identificar las medidas para prevenir, detectar , responder y recuperarsede los incidentes y proporcionarmecanismos claros de escalamiento. •procedimientos de notificación apropiados
  • 43. 43 Lastly, Figure 3.1 highlights the adoption of a digital security national strategy by France, a few days after the publication of the recommendation purpose of OECD´s analysis. Said country defined a strategy based on some fundamental principles with five strategic objectives around the digital security risk management. This has also been the focus of the countries that issued their strategies even before the date of adoption of the recommendations. Such is the case of the Czech Republic, Malta, Portugal, among others. On the other hand, it is important to highlight that this change of approach has been observed not only at government level but also at the private organizations level. PwC (2015) concludes based on the: The Global State of Information Security Survey 2016, that effective digital security programs have started with a risk-based strategy, finding that most of the organizations (91%) have adopted digital security risk management under directives such as ISO 27001, which allow the organizations to identify and prioritize the risks, and to generate a better internal and external communication. Figure 3.4 and Table 3.2 show the results of said survey. Figure 3.4. Adoption of digital security strategies in organizations Source: PwC, 2015 Table 3.2. Percentage of organizations that apply risk-based digital security strategies Type of organization surveyed Percentage Financial servicesorganizations 92% Public organizations 92% Industrial productsorganizations 86% Entertainment, media andcommunications organizations 94% Consumer organizations(retailers) 90% Telecommunications organizations 93% Total 91% Source: PwC, 2015
  • 44. 44 4. ANALYSIS This section describes the country´s development in matters of digital security en Colombia under the approach established in CONPES 3701 dated 2011. It also presents the progress made in the analysis of international experiences around digital security through the conduct of high-level working groups and it puts forth the general problem using five specific issues intended to be resolved by implementing a national policy. 4.1. Progress of the recommendations established in CONPES 3701 dated 2011 CONPES document 3701 dated 2011, Policy Guidelines for Cybersecurity and Cyberdefense in Colombia, established a work framework in order to address the digital security issues during the period 2011 to 2015, formulating three strategic objectives: i) implement adequate institutions, i) provide specialized training and expand the research lines in Cybersecurity and Cyberdefense, and iii) strengthen the legislation and the international cooperation in order to forge a baseline that facilitates the building of a national strategy. As for the achievement of the indicators established to track said CONPES document, 90% of the activities proposed in the action plan of said document has been fulfilled according to the provisions of the National Planning Department (DNP) through the report submitted with cutoff date July 2015.  Institutions With respect to the execution of the activities defined in aforementioned CONPES document, the institutions in this field were strengthened and this is reflected in the creation of the Cyber Emergency Response Group (ColCERT), the Joint Cyber Command of the Military Forces (CCOC) and the Police Cyber Center (CCP), in addition to the computer security incident response team of the National Police (CSIRT-PONAL). In addition to these institutions, other departments have been created within existing institutions, such as the Data Protection Delegate at the Superintendence of Industry and Trade (SIC), and the Sub- directorate of Security and Privacy of Information Technologies attached to the Directorate of Information Technology Standards and Architecture of the Vice-Ministry of Information Technologies and Systems of the Ministry of Information and Communication Technologies, as well as the Cyber Units of the National Army, the National Navy and the Colombian Air Force, among other organizations. The National Digital and State Information Commission was created by means of Decree 32 dated 2013, whose functions are, among others: i) advice the National Government in the position that it shall take before the organizations in charge of matters related with Internet governance, domains,
  • 45. 45 intellectual property of the networks, cybersecurity, cyberdefense, protection and privacy of the information, and ii) generate guidelines for the Cyber Emergency Response Group in Colombia.  Training In regards to the Ministry of National Defense, it is important to point out that the ColCERT team has promoted the diffusion of a Cybersecurity and Cyberdefense culture, as well as the management of incidents in the State´s institutions. The CCOC in turn, promoted the development and strengthening of its own cyberdefense capabilities and those of the Cybernetic Units, and it provided guidelines and directives within the institutions in this respect, in order to guarantee the defense of sovereignty, independence and integrity of the national territory and of the constitutional order. Similarly, in coordination with the ColCERT, a catalog of critical infrastructures is being developed which shall enable the coordination and management of protection and defense plans of said infrastructures. On the other hand, the CCP is in charge of the investigation and prosecution of cybernetic crimes and to that effect it has specialized personnel, state of the art equipment and laboratories. The operational results show the capabilities that have been developed. Similarly, education and training have been strengthened from various angles and action fronts, in aspects such as awareness rising campaigns for the responsible use of Internet with emphasis in children and youth and the provision of specialized training for civil servants. Moreover, the country has advanced significantly in the generation of specializedacademicoffer in this field. Today, there are more than fifty academic programs varying from technical level to master studies, as well as a wide range of non-formal education courses which include internationally recognized certifications.  Legislation With regards to the strengthening of the legislation, Colombia has a legal framework in place that includes the recognition of data and information as a protected legal asset, and it has regulations specifically aimed at aspects such as the protection of personal data, regulation on the protection against exploitation, pornography, sexual tourism and all other forms of sexual abuse involving minors. Some of the aspects included in this framework worth to highlight is that the Ministry of Information and Communication Technologies established the implementation of an Online Government strategy, which
  • 46. 46 incorporates the adoption of Information Security Management Systems within public administration institutions, contributing this way to generate dynamics that facilitate the understanding of the problems associated to cybernetic incidents and their management, important aspect to develop the State´s institutional capabilities in the cybersecurity field.
  • 47. 47  Cooperation With regards to the strengthening of the international cooperation, significant steps have been taking in this area. Colombia formally requested in 2013 through the Ministry of Foreign Affairs the country´s adhesion to the Europe Convention on Cybercrime, also known as Convention of Budapest, which establishes the principles of an international agreement on cybersecurity and the sanction of crimes of that nature. With the World Economic Forum, a multilateral convention was established to identify and address the increasing systematic global risks derived from connectivity among people, processes and objects. Through the Inter-American Committee against Terrorism of the OAS work has been done with “Incident Respond Teams” (CSIRT), with Colombia being part of that hemispheric alert that provides technical information to personnel specialized in these fields, promotes the development of National Strategies on Cybersecurity and fosters the development of a culture that allows its strengthening in the continent. With the OECD, in addition to the support received as part of the international mission, Colombia fully shares the recommendations established in the document called: “Recommendation of the Council on Digital Security Risk Management for Economic and Social Prosperity”. On this same front, the country has signed agreements with industry corporations to access resources and programs specific to Cybersecurity and Cyberdefense, as well as with international organizations such as the Antipishing Working Group, with the purpose of becoming part of this coalition of industry companies, legal authorities and government institutions that collaborate in function of having better alert and response mechanisms for cybernetic incidents. These partnerships have also been strengthened in the local context with industry stakeholders. Another aspect to highlight, is that Colombia has eight (8) Computer Security incident response teams member of the FIRST (Forum of Incident Response and Security Teams), being the third country in the continent with the most registered teams, after the United States and Canada. In the regional arena, Colombia has positioned itself as one of the countries in the region that has progressed the most in Cybersecurity and Cyberdefense related aspects,
  • 48. 48 which is reflected in the formal statistics, such as the World Cybersecurity Index of the International Telecommunications Union ITU), in which the country is currently ranked in the fifth place at regional level, after the United States, Canada, Brazil and Uruguay; while at global level, it shares the ninth position with Denmark, Egypt, France and Spain. 4.2. High-level working groups to analyze the status of the current policy In spite of the progress made through the execution of the actions established in CONPES Document 3701 dated 2011, all these results may not be construed as a sufficient and effective capability to respond to digital incidents, because it has been proven that countries in a better position than Colombia have experienced serious effects due to the materialization of sophisticatedand more frequent attacks in the cyberspace motivated by interests of different kinds. Undoubtedly CONPES Ddocument 3701 dated 2011, led to new dynamics in this field; however, as of 2014, a new renewed momentum is pursued through the formulation and development of new policies to strengthen the acquired capabilities, as well as the development of more capabilities to counteract the threats in the cyberspace, strengthen the institutions, update and harmonize the current regulatory framework and strengthen the relation and cooperation with players and stakeholders at national and international level, among other fronts. This is why President Juan Manuel Santos, aware of the increment of incidents in this area, requested the creation of a high-level Commission of National Experts led by the Ministry of National Defense, the Ministry of Justice and the Ministry of Information and Communication Technologies, that would be supported by an international commission, in order to strengthen the Cybersecurity and Cyberdefense policies for the country, to allow for the provision of guarantees in a cyberspace that is safe for the user and for the same State in order to promote and strengthen political, economic and social development observing respect for the constitutional rights, as well as assessing the vulnerabilities to which Colombia is exposed in this field and therefore, the need to adjust to the challenges imposed by the technological advances and the threats in the cyberspace. Since the establishment of this Commission, the Ministries in charge held working group sessions with national and international experts in order to perform an analysis and make recommendations based on which the basis are built for a new policy direction for Colombia taking into account the end of the validity date of CONPES Document 3701
  • 49. 49 dated 2011. The team of international experts were assisted by members of the Ministries that make up the Commission, as well as by the ColCERT, CCOC, CCP and the public and private sector, among others. The team of international experts was supported by the OAS, as well as by experts from the governments of Canada, Spain, United States, Estonia, South Korea, Israel, United Kingdom, Dominican Republic and Uruguay, and by members of the World Economic Forum, of the OECD, and of the Europe Council and of the INTERPOL. In the framework of these working groups, important input was obtained by assessing the current conditions of the policy in order to take it to an advanced status comparable to cybersecurity and cyberdefense policies worldwide. In the case of the working group of national experts, the review was aimed at current aspects of the policy and at those still not present, around five (5) dimensions: i) governance and effective coordination, ii) preparation and prevention , iii) awareness of the current situation. Iv) resilience, recovery and response, and v) effective cooperation and exchange of information. The international working group in turn issued recommendations focused in the need to: i) develop a global vision for Cybersecurity, ii) adopt a national approach in risk management, iii) establish a clear institutional framework, iv) establish a systematic process to involve all the stakeholders in the development of the strategy and its implementation; and v) adopt a policy for the protection and defense of the critical infrastructure, being aware of the need to strengthen the personnel capabilities as well as the physical, logical, legal and cooperation capabilities of the institutions. In conclusion, one can state that there is agreement on the need to incorporate new elements into the institutional structures, the legislation and the current actions, and to incorporate guidance and directives in relation to Human Rights and enforcement of the International Human Law in the cyberspace, so that an harmonic environment can be achieved on these areas in the country and an adequate coordination at international level. The proposals put forth led to the incorporation into the working groups of other government and private institutions, representatives of the academia, civil organizations, specialized companies and authorities in the matter, in order to enrich the proposed plan of action and verify that the strategic recommendations that were received were considered. 4.3. General problems
  • 50. 50 Based on the analysis performed by the national Government and the five problems described below, the conclusion is that in Colombia there is no clear vision around digital security and it is necessary to develop digital security related risk management, a situation that leads to conclude that the country does not have a reliable and safe digital environment, leading to the materialization of the risks associated to threats and incidents that attempt against the citizens´integrity, the Rule of Law, the exercise of fundamental rights, the national security and defense and consequently, against the country´s economic and social prosperity. Thus a need emerges to establish new digital security guidelines and directives taking into account components such as governance, education, cooperation, regulations, research, innovation, diplomacy, development, protection, security and defense of critical infrastructures, the State´s national interests among others, and focused on the citizens, the society in general, the Military Forces and the public and private sectors, so that the country has a social and economic structure in place that facilitates the achievement of the State´s goals. 4.3.1. Colombia makes limited efforts to address the digital security issues, as it does not have a clear and general, risk-based vision. The work framework established in CONPES 3701 dated 2011 was focused on the creation of an institutional framework led by the Ministry of National Defense that has conducted its functions and activities in an efficient manner. Although this effort has allowed an important positioning at international level around the matter, it is essential to strengthen the national Government´s leadership and build a new clear general vision under a comprehensive approach and in accordance with the best international practices to address the risks of digital security. This situation involves a change in the policy guidelines in force thus far. At present, the following evidence is presented in respect of the issue:  Colombia does not have an organization or entity responsible for national coordination in matters of digital security.  No Digital Security National Agenda has been designed that connects all the institutions of the public sector and all the stakeholders.