Interview With Dr. Sherif Hashem
Can you introduce yourself to SECURITY KAIZEN Magazine readers?
I am the Senior Advisor to the Minister of Communications and Information Technology for CyberSecurity, and the Executive Vice President of the Information Technology Industry Development Agency (ITIDA), Egypt. I am also a Professor at the Faculty of Engineering, Cairo University, Egypt (on leave). I had received a B.Sc. in Communication & Electronic Engineering (Distinction with honor) and an M.Sc. in Engineering Mathematics from Cairo University (Egypt – 1985 & 1988), and a Ph.D. in Industrial Engineering from Purdue University (USA – 1993).
I had also completed the Senior Executive Program at Harvard Business School (USA – 2001). I am currently responsible for e-Signature, cyber security, and Intellectual Property
Rights (IPR) protection for software and databases. Dr. My responsibility includes setting the framework for establishing and operating the Egyptian Computer Emergency Response Team (EG-CERT) at the National Telecom Regulatory Authority, the Egyptian Root Digital Certificate Authority (Root-CA) and the Software IPR Office at ITIDA .What are the benefits that ITIDA provide to information security community specifically , not the IT sector as a whole?
ITIDA is the main anchor for E-Signature in Egypt, and it hosts the Root PKI Certificate Authority (Root CA) for the country. The Root CA links the 3 private e-signature certification service providers (CSPs) as well as the governmental CA run by the Ministry of Finance, thus providing an integrated infrastructure for PKI services and e-signature applications in Egypt. Such an infrastructure is essential for establishing and protecting the digital identities of individuals as well as organizations, which paves the road for a more interactive Egyptian information society with enhanced quality of life. The PKI infrastructure is also essential for advanced and secure egovernment and e-business applications.
The Root CA also provides a gateway for cross-recognition of PKI digital certificates with other countries, thus facilitating and empowering e-business applications with the international community. The establishment and the operation of the PKI infrastructure involved a comprehensive training and skills development programs for professionals working at ITIDA and with the private CSPs; which not only enhances the security of the operation of the national infrastructure, but also provides opportunities to export advanced PKI services to the Arab and African Regions. Since its establishment in 2005, ITIDA has organized, supported and hosted several events and workshops, such as the ITU Arab Regional CyberSecurity and Digital Identity Symposium held at the Smart village 18-20 Dec 2011.
Can you give us an overview, status and progress of the e-signature and Root CA projects?
Dr Sherif: The Root CA was launched on 28 September 2009, and the three licensed private CSPs have been linked to the Root CA shortly after. ITIDA has also provided a grant to develop an Egyptian Smart PKI Token. The company that won the grant developed two PKI tokens: with and without biometrics (finger print), which are currently available in the Egyptian market, and are also being marketed abroad. ITIDA has been lobbying for the deployment of e-signature and PKI applications with the e-Government Program, and with key stakeholders in various sectors, including of course the ICT Sector, the banking sector and the Stock Market.
you were the pioneer in establishing CERT in Egypt; can you please give us a quick overview about CERT and the role of EGCERT in Egypt Security life?
The Egyptian CERT (EG-CERT) was established at the National Telecom Regulatory Authority (NTRA) and started its operation in April 2009. Operating on 24/7 basis, EG-CERT has about 16 professionals who provide high level monitoring and security incident handling support to key stakeholders responsible for the ICT infrastructure in Egypt. EG-CERT also assist in providing expert reports to courts in major cybersecurity cases, such as the international Phish Phry case that was uncovered in October 2009. EG-CERT has supported several stakeholders within the government, and the ICT and the financial sectors in dealing with a variety of security incidents, including DDOS attacks, hacking and web defacement. It is worth noting that in 2009- 2010, the NTRA launched a national comprehensive cybersecurity training program provided through the well known SANS institute, resulting in the certification of 179 ICT professionals across 38 entities in the governmental sector, ICT and CSP companies, banking and financial sector, and academic institutions. Of course, EG-CERT’s staff are among the graduates of that program, with some of them receiving multiple SANS certificates with high scores.
Many Security Professionals are wondering why, till now, EGCERT doesn’t have a website or a published phone number to contact them incase of a cyber incident or a security query?
EG-CERT will launch their website soon, but in the meantime they can be reached through the NTRA.
Why CERT is under the NTRA? Are they only focused on telecom sector? What about the other sectors like banking, oil & gas..?
EG-CERT is the first cornerstone towards a comprehensive approach for national Critical Information Infrastructure/CyberSecurity Strategy. Such a strategy will cover critical sectors, including the ones that you mentioned above.
Does EGCERT or any other entity in the government have clear Security Awareness Program targeting public users like university students, different government employees and others?
As mentioned above, this needs to be part of a comprehensive national strategy
In your opinion, why the Egyptian Government websites were attacked so easily during the 25th of January Revolution and do we have any kind of Audit on the government’s sites?
Governmental websites are hosted by a variety of providers (in-house, ISPs, etc.), and in some cases the providers and/or the developers do not pay enough attention to security concerns, which makes some websites vulnerable to cyber attacks. As I mentioned above, we need a comprehensive cybersecurity national strategy. Moreover, we also need to enhance/amend the regulatory framework relating to operational requirements for public and governmental information systems.
I received many comments from the Egyptian Security Community that they don’t feel the progress of Information Security in Egypt. In your opinion, is that because of the lack of publications about MCIT achievements in that field or because of the lack of achievements itself?
As I mentioned above, MCIT has launched the CERT (at the NTRA) and the PKI ROOT CA (at ITIDA), and has supported a comprehensive national cybersecurity training program for 220 professionals in 38 entities in the government, and the ICT and the financial sectors. MCIT and its affiliates (ITIDA, NTRA, NTI, ITI) have also supported and organized several events and training workshops, such as Hacker Halted (by EC Council) and other worldwide leading cybersecurity specialists. We understand that cybersecurity threats are increasing and the expectations of our cybersecurity community are also growing. So as security professionals, whether in the government or in the private sector or in the academia, we need to increase
our coordinated efforts to further the national cybersecurity agenda, and to expand our outreach to the general public, and to lobby with decision makers in all sectors.
In the last couple of months, there were a lot of discussions regarding the electronic voting and its security, what is your opinion about it and Is it doable in Egypt or not ?
The use of ICT in the voting process will definitely enhance the citizen’s experience and facilitate participation in the democratic transformation in Egypt. In this regard, ITIDA hosted a group of about 100 ICT professionals to analyze the worldwide best practice and advise the government on a comprehensive approach for ICT-enhanced voting. Several meetings took place in March through April 2011, with over 40 contributed documents exchanged and analyzed. The final recommendations were presented to the Cabinet of Ministers, and some recommendations were taken into consideration. However, we still have a long way to go and there are many opportunities to further enhance the voting process using ICTs, whether inside the polling stations or in the case of remote e-voting for expats.
Today, Egypt and the Middle East had a lot of Hacking incidents, why we don’t have a big competition to the security community to challenge their skills and get them to the white hat community instead of the black one especially for the teenagers?
Great idea! I suggest that you take the lead, and let us know how we can support this initiative.
What is your opinion about security kaizen magazine and Cairo security camp initiatives especially after conducting the first capture the flag competition in Egypt?
I enjoyed the security camp, at least the part that I attended. I also like the idea of the competition. Keep up the good work!