Contents

Background ............................................................................................................... 2

Objectives ................................................................................................................. 2

What is a national CIRT......................................................................................... 2-3

The need for a national CIRT .................................................................................... 3

Benefits of having a national CIRT ..................................................................... 3-4

Assessment methodology ......................................................................................... 4

Assessment justification............................................................................................. 5

Readiness assessment................................................................................................. 5

ICT infrastructure ................................................................................................. 6-7

Cyberthreats affecting the Maldives .......................................................................... 7

Local cybersecurity expertise ................................................................................ 8-9

Cybersecurity education and training ................................................................. 9-10

Bibliography ............................................................................................................ 10
1. Background
The Worldwide Telecommunication Union and a team of authorities from IMPACT, carried out
an enthusiastic assessment of the cybersecurity condition in five least industrialized countries in
South Asia to review the familiar and regulatory framework, existing critical information
substructure, identify areas of improvement and recommend a suggestion for establishing a
Computer Incidence Response Team (CIRT). This evaluation was carried out as an input to the
ITU Governmental Forum held from 3-5 August 2010 in the Maldives which resulted in a
ministerial assertion resolution priority area inter alia for cybersecurity in the Maldives. (Sector,
2012)

2. Objectives

The aims of the CIRT evaluation study were to calculate the expertise and readiness to build an
ecological national CIRT, based on an analysis of investor attributes with relevance to security
incident response needs of ABBMN countries. The national CIRT will identify, respond to, and
manage cyber threats and at the same time develop cybersecurity.

The additional goals and deliverables of the valuation study were to:

a) direct cybersecurity readiness assessment of the country.

b) propose institutional and administrative requirements and arrangements for the
creation of the national CIRT.
c) make the necessary suggestions that will improve the cybersecurity readiness of the
ABBMN countries.

3. What is a national CIRT?

A countrywide CIRT responds to processer security or cybersecurity incidences by providing

necessary services to a defined population to successfully identify threats, coordinate actions
at national and regional levels, socialize information and act as a focal point for the population
in matters related to cybersecurity. CIRTs principally focus on the response to ICT-related
protection disagreements on behalf of one or more participants. To provide an overarching
cybersecurity service to a constituency, most CIRTs offer services such as automated services,
proactive services, and security quality supervision services.

P a g e 2 | 10
 4. The need for a national CIRT

The developments and statistics speak for themselves, and the rapidly increasing number of
cyberattacks is now a global trend. Cyber-attacks that were previously introduced only for
nuisance purposes or by “script-kiddies” have now escalated into more catastrophic attacks
motivated by money, political programs, and in some cases as weapons of cyberterrorism.

Among all cyber threats, targeted attacks have the most influence. The motivations for such
attacks can range from theft, such as phishing, to critical intelligence gathering leading to a
larger impact attack, such as a major distraction to telecommunications public services.
Targeted attacks have also grown in sophistication by striking from supplied bases.

The important role of administration in the fight alongside cyber threats is to:

a. ensure the continuity of society in moments of crisis.

b. protect essential services and critical national public services.
c. improve opposition to disruption.

5. Benefits of having a national CIRT

Having emphasized what a national CIRT is and the need to establish one, the benefits of
establishing a national CIRT are to:

a. serve as a trusted focal point within and beyond domestic borders.

b. identify and manage cyber threats that may hurt the country.
c. respond systematically to cybersecurity incidents and take corrective actions.
d. help the constituency to recover quickly and efficiently from security incidents and
minimize loss or theft of information and disturbance of services.

The creation of a national CIRT is as important as having emergency vital services such as a fire
department and a police force and the benefits cannot be underestimated. Figure 2.1 shows
how ITU-IMPACT illustrates the roles and accountabilities that a national CIRT can play in
protecting against cyber threats and potentially drive and promote initiatives such as national
cybersecurity approaches, policies, cyber forensics services, national Public Key Infrastructure

P a g e 3 | 10
(PKI), digital signatures, governance, legislation, Dangerous Information Infrastructure
Protection (CIIP), cybersecurity awareness, training and education, research, international
cooperation, and security assurance.

Key Findings, Issues, and Analysis

The findings in this section are based on stakeholder accounts. The stakeholders provided
knowledge regarding the threat landscape in the Maldives. Representatives from CAM
(Telecommunication Authority) took the time to discuss with the ITU/IMPACT expert and
describe the threats and actual cybercrime cases they have confronted over the past few
years.

a) Overall, there isn’t any mechanism for informing cybercrimes in the Maldives.
Facilities and skilled individuals to detect computer crime incidents are not
generally available.
b) Cybercrime in the Maldives ranges from credit card schemes and phishing to
various forms of unauthorized access, hacking and destruction, child abuse
(via chat), and social networking websites. For Instance, in April 2008, three
Maldivians and one Malaysian were apprehended by the Maldivian Police on
charges of using fake credit cards to purchase Rf3.5 million worth of goods
from shops45.
c) Fake SMS, SMS phishing, and spam are also common in the Maldives.

Recommendations

a) It is clear from the above results that the setting up of a national CIRT as a focal
point to manage incidents, and as a coordination center to manage information
sharing and information flow on cybersecurity is vital. Awareness of the need to
report all incidents to this central point is vital. The CIRT will also provide
knowledge of available best practices that can be shared and employed on their
respective networks.

P a g e 4 | 10
 b) ii. In the future, large organizations that are responsible for the country’s critical
federal infrastructure should establish their CIRTs in collaboration with the
national CIRT. These would be known as sector CIRTs, and they would be
residents of the national CIRT.

6. Assessment methodology

The on-site assessment and off-site certification were administered by ITU-IMPACT experts.
The on-site appraisal methods include meetings, training, conversation conferences, and
site visits. The meetings and face-to-face interview sessions are conducted employing a
questionnaire and responses gathered were accustomed to assessing the necessity for and
existing capability of national cybersecurity systems. The knowledge gathered was also
accustomed from the suggestions for an inspiration of action which is printed during this
report.

7. Assessment justification

The readiness assessment is split into focal areas that time out the problems, detail the
findings and analysis conducted, additionally recommend solutions to the concerns. The
focal areas include the ICT readiness of the country, cyber threats affecting the country,
cybersecurity/ICT legislation, common standards/regulatory framework,
population/stakeholder participation, cybersecurity training, and education, physical
infrastructure, and operational aspects, and therefore the financial model to be approved

8. Readiness assessment:

The Maldives This section contains all the key findings from the evaluation including, key
issues, analysis, and proposals for the enhancement of the cybersecurity situation within
the Maldives. These findings, issues, analyses, and suggestions are supported the data
concluded during the on-site assessment and general research conducted by the authority.

P a g e 5 | 10
9. ICT infrastructure

This section presents the findings on the quality of ICT infrastructure within the Maldives,
the extent of use of ICT facilities like system infrastructure and access devices, and therefore
the level of dependency on ICT for communication of key machineries within the country’s
administration, governmental institutions, organizations still as private entities.

Key Findings, Issues, and Analysis

From the on-site meetings and interviews performed, we gathered the subsequent
information:

a) In August 2001, the govt. of Maldives conscripted a policy to reform the

telecommunication sector. within the Maldives telecommunication policy 2001-
2005, to scale back the digital divide within the country, the subsequent was
proposed:

b) conduct ICT awareness and training programs to encourage the utilization

of ICTs,

c) establish community telecenters throughout the country to produce cheap

and straightforward Internet access,

d) In general, this 2001 telecommunication policy achieved its targets. In

2006, the Maldives telecommunication policy 2006-2010 was announced. It aims
to expand the national telecom infrastructure to produce broadband services to all
or any parts of the country with no inequitable charges. Progress has been made
but several projects still face delays due to a scarcity of competent personnel and
government structure changes. However, the national ICT Policy, brainstormed in
2003, continues to be not complete. (Sector, 2012)

e) Dhiraagu launched the web to the Maldives in October 2006 with dial-up
connections for about 575 users. the web community within the Maldives has
grown quickly over the past decade to succeed in 87,862 users in 200939. This
represents a penetration rate of twenty-two. 2 percent of a complete people of

P a g e 6 | 10
 396,334 (2009 census). As of 2009, Maldives counted 17,880 broadband Internet
users. (Sector, 2012)

f) The Maldives includes a very high cellular communication intelligence rate

with 147.9 mobile subscribers per 100 inhabitants. All occupied highlands have
access to fixed-line telephones with a tele density of 15.89 per cent40. There are
three certified telecom operators, namely Dhiraagu that has been operating since
1988; Focus Infocom Raajjé (ROL) established in 2003, the country’s second ISP,
and Wataniya started its control in 2005. (Sector, 2012)

g) ADSL broadband Internet services are accessible over the fixed-line

telephone network in Male and 13 other islands. It reaches a resolute 40percent
of the population with 11,530 ADSL lines and 1,076 ISDN lines41. (Sector, 2012)

Recommendations

a) The decision-makers at governmental and departmental levels must consider and

allocate sufficient priority to security, reliability, and disposal of systems altogether
ongoing ICT infrastructure projects. The principle of defense comprehensive should
even be adopted by the govt. altogether projects concerned with ICT. Maldives is at a
stage of incorporating new ICT technologies into its Critical National Information
Infrastructure (CNII) and this variation needs systems to be designed with adequate
security.

b) Regulations for telecommunication and Internet Service Providers must be

developed to cater to continuous technological improvements.

10. Cyberthreats affecting the Maldives

The need for CIRT services has already been underlined in chapter 1 of this report.
Mitigating and eradicating cyber threats affecting a rustic is one in each of the critical
considerations when establishing a national CIRT. This section discusses the key findings,
issues, analysis, and proposals concerning cyber threats involving the Maldives. The
P a g e 7 | 10
 findings during this section are support stakeholder accounts and knowledge provided
by some key personnel. Often there have been no supporting documents to verify their
facts

Key Findings, Issues, and Analysis

a) The major stakeholders that uttered their enthusiasm to cooperate and

contribute to the national CIRT project are the Ministry of Civil Aviation and
Communiqué (MCAC), the Office of the National Security advisor (CAM) that
reports directly to MCAC, NCIT, the Department of National Registration (DNR),
the Maldives Police Service (MPS), Maldives National Defense Service (MNDF),
and therefore the Attorney General’s Office (AGO). Input and cooperation from
the ISPs organization and telecommunication operators, among others
Dhiraagu, are going to be needed for the success of the operation.

Recommendations

a) One of the critical success components of a national CIRT is active

participation from stakeholders and constituencies in information sharing and
organization work. The involvement from these events should start from the
very beginning, as early drafting board the planning stage of the McCrite
establishment. Once recognized, the McCrite has the burden of earning and
nurturing the trust of the stakeholders and therefore the communities.

11. Local cybersecurity expertise

one of the obstacles to making a sustainable CIRT is the convenience of locally produced
cybersecurity expertise. Many CIRTs failed because of this. This section discusses the key
findings, issues, analysis, and proposals for local cybersecurity experts within the
Maldives.

Key Findings, Issues, and Analysis

P a g e 8 | 10
 a) From the data collected and research conducted by the ITU/IMPACT
expert, it may be concluded that the number of locally formed cybersecurity
experts within the Maldives remains low.

b) an honest number of people have general engineering qualifications. This

is mainly attributed to the purpose that universities, colleges, and other local
training institutions didn't offer cyber security-specific courses.

Recommendations

a) The most pressing matter now's the institution of the national CIRT and
getting the right technical expertise to control it. This can be achieved by
collaborating with local experts just like the Maldives Open-Source Society
(MOSS) or sending identified candidates for appropriate education and
seminars, either locally (if available) or abroad.

12. Cybersecurity education and training

As discussed, one in every one of the awkward blocks of creating a sustainable CIRT is
the availability of locally produced cybersecurity expertise because of the reduced
availability of cybersecurity education and training programs in the Maldives. This
section discusses the key findings, issues, analysis, and proposals for cybersecurity
education and training.

Key Findings, Issues, and Analysis

a) Cybersecurity learning within the Maldives is proscribed to

occasional seminars, workshops, short courses by international
organizations, and regional seminars that several participants have
attended in the past. Apart from that, proper cybersecurity courses
or subjects are not available at national universities.

Recommendations

P a g e 9 | 10
 a) One of the foremost important elements in creating and sustaining
a national CIRT is the competency of the personnel. Training and human
space development programs must be in situ to own locally produced
professionals.

Bibliography

government, U. S. (n.d.). Retrieved from https://www.gsa.gov/technology/government-it-

initiatives/cybersecurity/cybersecurity-programs-policy.

Ministry of Electronics & Information Technology, G. o. (Ed.). (n.d.). Retrieved from

https://www.meity.gov.in.

New York, N. 1. (1949). Retrieved from https://bfbond.com.

Sector, T. D. (2012). Readiness Assessment.

P a g e 10 | 10