ESTABLISHMENT OF A NATIONAL CERT

1. Ferenc SubaLLM, MA Chairman of the Board, CERT-Hungary, Theodore Puskás Foundation Vice-Chair of the Management Board, European Network and Information Security Agency ESTABLISHMENT OF A NATIONAL CERT

2. - COMPUTER EMERGENCY RESPONSE TEAM / COMPUTER SECURITY INCIDENT RESPONSE TEAM - FUNCTION: PROTECT COMPUTER SYSTEMS FROM MALICIOUS ATTACKS - WHAT IS PROTECTED: ANYTHING THAT IS CONNECTED TO OR DEPENDENT ON COMPUTERS (GOVERNMENT NETWORKS, TELECOMMUNICATION NETWORKS, CONTROLL SYSTEMS OF INFRASTRUCTURES SUCH AS ELECTRICITY GRIDS, POWER PLANTS) - WHAT KIND OF ATTACKS: AGAINST THE INFORMATION (ILLEGAL INTRUSION) / THE SERVICE (PHISING) / THE SYSTEM (DENIAL OF SERVICE), MOSTLY COMING FROM ABROAD THROUGH THE INTERNET - ACTIVITIES: PREVENTION (VULNERABILITY MANAGEMENT), INCIDENT HANDLING (DURING THE ATTACK), MITIGATION (AFTER THE ATTACK) + AWARENESS RAISING, COLLABORATION (NATIONAL / INTERNATIONAL), THINK TANK (PREPARATION OF POLICIES, STRATEGIES) - CERT IS THE ONLY ORGANISATION TO SHUT DOWN A SERVER ABROAD IN A TIMELY MANNER (MEANING: WITHIN HOURS) WHAT IS A CERT / CSIRT?

3. - Global umbrella organisation: FIRST.ORG (Forum of Incident Response Teams) - 222 CERTs accross 48 countries (members of FIRST) - Geographical distribution: most of Asia, Australia, Americas, Europe covered, 2 members in Africa - composition: academic/industry/national CERTs - Regional communities: APCERT, TF-CSIRT, European Government CERT Group - activities: sharing of knowledge + operational assistance - additional activities for national CERTs: point of contact, co-ordination - THE CERT COMMUNITY

4. Large phishing attack against Hungarian banks: 7 banks in HU, for 2 weeks, „foreign” attacks from international botnet administered by 4 virtual domain name servers (all abroad, from Asia, Europe, Americas) Estonian cyberwar: attacks from 4000 compromised machines (cca. 50% from the Americas, 12 from HU) Phishing in HU (national+ international response): - PTA-CERT Hungary as coordinator - With the help of CERT community+ HU Banking ISAC - Localisation +shutting down of VDNS (all abroad) - Within 4-12 hours - Notification of ISPs via national CERTs - Notification of clients from the banks - Filing a case against unknown persons at the police Estonian crisis (international response): - Finnish national CERT + US CERT as coordinators - With the help of CERT community - Localisation + cleaning of compromised machines - Within 2 weeks (after FIRST and TF-CSIRT involvement) - Notification of ISPs, system administrators via national CERTs EXAMPLES OF CERT CO-OPERATION

5. - Ability to protect your computer and network systems better - Ability to develop your computer and network systems more secure - Ability to improve knowledge from the international community - Ability to get operational help from the international community - Ability to assist the international community (regionalisation) THE BENEFITS OF ESTABLIHSING A NATIONAL CERT

6. - Goverment support (national strategy, responsible High Level Official + Authority, allocation of money, staff) - Host of the project (government / non-profit organisation) - Regulations relating to national CERT (telecommunication, e-commerce, penal code, consumer protection, national security, crisis management) - National coordination body (private sector, policy makers, law enforcement, CERTs) - Integration into the international CERT community (FIRST accreditation) - Communication plan - Regular exercises with affected sectors (ISPs, telco operators) Necessary steps to establish a national CERT

7. - Started as a project by the Ministry of IT and Communications, now National Cybersecurity Centre (within a government foundation) - Partnership Agreements with: National Communications Authority, Financial Regulatory Authority, Prime Minister’s Office, National Bureau of Investigation - Accredited member of FIRST, TI, EGC - Operator of the National Alert Service of Communications as contractor - Responsible for information security of the e-gov backbone network - Trusted partner of the banking and energy sector (WGs) in CIIP, regular exercises, service contracts - International co-operations: FI-ISAC, Meridian, IWWN - CERT capacity building: Bulgaria, South Africa CERT-Hungary

8. - Bottom-up approach, 5 years of evolution - Establish a flexible organisation - Be close to central government - Use ENISA and partner MSs as leverage - Have very strong international background - Build up PPPs with interested private sectors - Be not only technical (crisis management, awareness raising, policy making, national and international collaboration) - Distribute your financial resources (state budget, state project contracts, service contracts, EU and national research projects) The Hungarian model

9. - Only tool to motivate the ISPs - Liability clauses: indirect liability for ISPs = ISP is liable for any wrongdoing committed through its system if ISP does not co-operate to make the wrongdoing impossible - Reason: criminals are anonymous + attacks come through the ISPs + only ISPs can effectively take measures against them - Liability forms vary according to the function: content provider, storage provider, access provider, cache provider, information location tool provider - Principle: ISPs liability stands as of an e-mail about the wrongdoing committed through its system has been received e-Commerce Act

10. - Regulates CIIP in communications sector - Defines critical infrastructures legally - Defines incidents flexbily (list updated by the National Communications Authority) - Designates 8 communications providers (biggest ones) - Reporting obligation of the designated providers - Reports on incidents affecting at least 1000 users - Reports received and distributed by the Alert Service Centre - Distribution list: Ministries, Centre for Crisis Management, Services - Alert Service Centre outsourced to CERT-Hungary, under the supervision of the National Communications Authority Ministerial Decree on National Alert Service for Communications

11. - Sections 8-10: National Cybersecurity Centre - Tasks: crisis management, central governmental system, National Alert Service for Communications, awareness raising, preparation of policy, CIIP collaboration, international representation - Control: Prime Minister’s Office, IT Security Supervisor - Framework: Theodore Puskás Government Foundation, by a public service agreement - Basic services free for the government, value-added services for payment Government Decree No 223/2009.on the security of public electronic services

12. - No legally binding international agreements - Basic instrument: Memorandum of Understanding for co-operation - reasons: legally binding procedures too slow + flexibility - FIRST: two faces: association incorporated according to Californian law + conference = annual general meeting - ICAAN: association incorporated according to Californian law - Future at international level: Governments enter into this area of international co-operation (national cybersecurity strategies, NATO Cyberdefence Policy) - Future at national level: Act on Information Security, Government Network Security Centres Legal instruments of International Collaboration, future

13. Thank you for your attention! ferenc.suba@cert-hungary.hu PTA CERT-Hungary www.cert-hungary.hu Theodore Puskás Foundationwww.neti.hu ENISA www.enisa.europa.eu