CERT's role in national Cyber Security: policy suggestions

Transcription

1 CERT's role in national Cyber Security: policy suggestions Subject: Legal Aspect of Cyber Security. Author: Vladimir Chitashvili Lecture: Anna-Maria Osula

2 What is national Cyber Security is? In another words we can say it is Information Security of a State, it is to many other words with which we can explain Cyber security. Let's continue with state, in our world every state has something important in Cyber Space. For example it can be any important e- Service for citizens or organizations. Also everything around us become much more ICT: water and electricity stations, health care, payments can be done directly from your home or work office. What I want to say in this explanations is that States Cyber Space is not only Governmental Space but also commercial. Imagen state where citizens can not use bank services? Or without Internet connection? Imagen that someone attacking this services, nobody not only can made payments from a bank but also from Internet bank. Ok maybe it is not so critical for population health but now think if your water and electricity stations are under attack, and you can not provide this services for your citizens, it can be dangerous for a populations life. In real world you will say it is apocalypses for moder population. This services also must be protected as well as Governmental services. In my opinion it must be prioritized which is much more critical and which not so much. So in one sentence it is information security of everything (governmental and commercial). Now I would like to continue with CERT (Computer Emergency Response Team) and what kind of CERT's can be. First of all I want to speak about National CERT's. What are they doing and which roles they are hold. We can say that national CERT is responsible for handling critical incidents which are occur withing the state. CERT specialized in identification and analysis of critical computer incidents. Another role is information security recommendations and policies not only for government organization but for commercial and even for international institutions. CERT plays really important role in rising national Information security level. They also shares many useful information regarding last exploits, bugs, vulnerabilities and solutions how to fix them. Communication of CERT, I can not say that every national CERT are communicates and shears information between each other, but many of them working in one party or maybe we can say communities and they really help each other. Also I want mentioned that such cooperation are very important, for instance in 2008 during war in Georgia, Estonia helped Georgia and sent them Information Security experts to deal with cyber attacks. Also Estonian CERT was supporting Georgia in that time. I want to say that it is really important to cooperate and share information and knowledge between each other. Such information can be very helpful, Imagen 0 day exploit, one of the CERT for example national CERT of Latvia catches this exploit analyzed it and create a fix. And did not share this information and fix with other CERT's and organizations, in this case you are in a critical situation, because you even don't know what can happen. But if they will do it, it will help other countries to protect themselves. There is also some communities which are doing the same things and they also offer their services in Information Security they called Abus Teams. It is like CERT teams but not governmental organizations. CERT's are actively use different type of monitoring and data collection solutions which help them to analyze traffic which is smoothed through their country. How CERT participate in national security, which role it holds and which regulations it can provide and effects to the state. Now I want to combine CERT with national cyber security. On eof the most important role which CERT do is incident handling. This incidents are categorized and prioritized by their severity level. Let's start with one of the example, for instance I will take one of the bank and IT staff or security officers find some strange network activity, of course they will start monitoring it and analyzing it, also they can ask a CERT to help them in such situation. Such strange network activities can be very harmful not only for bank but also on a national level. Because for example it can be malware which can spread within a network to other systems and this systems will be infected, Imagen that states critical infrastructure is infected and goes wrong. Such situation can cause big damage for state and population. CERT helps to analyze such malware and provide a solution how to fix it and this information is shared, such information is very important for states national security level

3 and it realy can rise level of information security, because as I mentioned national cyber security is not only government but it is also commercial sector. Let me say that all malware, virus, bot or trojan which will be detected withing a state will be uploaded to central database for analyses. CERT will be responsible for analyses and reports how to fix such infections. It is difficult and also I will say impossible to control who will upload it and who not? It really depends to population of the state, how they relate to security of a state and how deep is there understanding about this subject. It is kind of solution how CERT can rise national security level, but I will say it is impossible to achieve, imagine law which will punish people who will not be care about collection of threads? I think it is impossible to control. But in some case it can be rewards for such participations which will rise motivation. Second important thing is cooperation with ISP, CERT is connected to many different security institutions which are gigs and gigs of useful information. As we know it is not surprise if we hear that something was under DdoS attack, it is becoming much often and often. CERT can share very important information for ISP, for example IP which are part of the botnet, such information can help not only to reduce a chance but also to prevent DDoS attack from the outside. The most effctive solution how to protect from DdoS attack it cooperation with ISP, it will cut this flood traffic on the edge. As I mentioned one of the most interesting part for CERT can be ISP, because they transfer all of the data across the state or route it inside. In my opinion ISP must provide statistics, logs, netflow data to CERT, it will help CERT to made correct analyses and realize whole situation in the state. If we will speak about privacy, it will not be a problem for organizations because all important and secret information all the time are encrypted by certificates or smoothed through VPN tunnels, so all encrypted data will be safe and not usable. Such solution will help CERT to secure national space and also will not disturb organizations privacy. Let's continue with connections. Communication, information and solution shearing. In my opinion communication plays one of the biggest role, not only in Information Security but also in any field. How it helps CERT to increase national security of a state? In my opinion communications with any organization, it will be another CERT or just organization maybe even international, will help increase CERT performance and quality of solutions. I will start with very casual situation, for example even when organization or ministry contacting a CERT in any kind of incident, such small things can play big role. Small bags can be so critical and harmful for system. So such communications inform the CERT that something new is happening or something old was spreed. And such bunch of small incidents can draw a big picture which can be analyzed, maybe it is something more important, for instance one of the hacker team preparing big attack to your cyber space. As I know in our day it is not compulsory to inform a CERT about incident or strange activity and nobody will come to you and punish you. In some reasons I can understand why, let say one of the biggest bank was hacked and some of the client information was leaked, which bank would like to publish such information? It can reduce trust to your system what will cause client lose, and what is happening with bank? Exactly it loosing the money. What is much more important banks reputation or security on a national level? Because such incident can be on a national level which can cause secret information leaking for example. My opinion is that we must think widely, state is like one organism if something is wrong, we must cure all part of it and not only one component of it. I think if it will be law that every incident or something strange what is happening must be reported to CERT in other hand you will be punished, I don't mean you will be jailed but maybe penalties. Such law will rise quality and performance of a CERT, what will rise cyber security on a national level. Imagen that CERT will be in touch with all of the incidents which are happening in the state. Or it is also possible to implement everywhere logging and event agent which will sent data to centralized system where will be all statistics, also netflow traffic can be collected for beginning from the most important and critical infrastructures. Such information will play big role in Information Security level, this events can be prioritized and analyzed which event is much more important to fix. What it will give, it will give CERT big understanding what is happening in the state, for what state must be ready in a future, it will help to prepare correct

4 solutions and fixing etc. All of such things will rise national cyber security level. Another question is give such power to CERT or not? In some case organization will say that it is our privacy rights and why I must show you which data I am sending or receiving, we moved to topic privacy or security? In our case it is national security, so what is much more important? I will say both of them, but it is 2 sides of it, in some case imagen that state made a law that all events. Logs and netflow data must be collected in centralized system which will be analyzed by CERT, maybe for native company's it will be ok, but what do s international offices? They can say that I don't want to send you my data, it is my organization policy. So such law can be harmful for a state also because you can lose international organizations in your country. But in some way it can be a strong regulation mechanism. Recommendations and security standards, many CERT's provide recommendations an standards how to rise security level in organization. For example as we told that national security is everything, I can say that if security level of organizations governmental or commercial in a state is high it will mean that national security level also will be higher. As I mentioned CERT provides recommendations about information security strategies, standards, malware analyses and how to behave in critical situation, how manage situation. For instance I can say that CERT's recommendations can be used at least as a part of security framework of the country. If it will be compulsory for organizations to follow this recommendations, manuals and standards, it will rise information security level in the state. I don't want to say that use the latest hardware and solutions to protect your organization, because not every organization can have expansive solutions and also maybe they don't need them at all. But at least all critical infrastructures must follow security policies, standards and strategies. I think that it is not so difficult to achieve some common idea, what is basis of information security and what must be done at the first time. Yes it is very difficult to have common ideas about international cyber security, because it is too many states and ideas and concepts are different which frameworks to use and which information security strategy implement. In this way CERT will play some of the role which will rise national security level. In my opinion such tasks can be separated, for example CERT can write manuals about malware analyses, how to prepare virtual environment, which technique use for static and dynamic analyses etc. Also management of incidents, t hay are really good in management incidents, how to get requests, through which process this request will go, how to reply and gather information and how to report them. In some case it is info, but it is really important how you will handle incidents. Such things must implemented in critical infrastructure. Prioritize of incident plays big role in cyber security. This is also important thing what CERT is doing. It is not only find and fix incident, but also you must realize and choose which incident much more critical and important. Because if you will fix incidents which don't are so important, it can harm many systems before you will even start to analyze it ant it will play on national security level. Also I think that first of all as a organization which is relayed to Cyber Security, CERT's first and critical role is to save people from cyber attacks which can be harmful for populations health or death. In our day cyber space can be used to achieve very terrible aims, which will kill thouthent of people. I am one hundred percent sure that cyber is one of the battlefield. And you can achieve many goals even without using physical contact. Such protection is very important and I can say that CERT is a part of this protections, because they prioritized all incidents. One of the small role of CERT also is to publish helpful information, articles and news about latest incidents. Providing such information will prevent not big amount of incidents, but at least some of them, because be in touch with latest information security news from trust source, in some way important, you can just come to your office and review this news, something can start you thinking about your situation, it can be really helpful. In some case it look like impossible to implement such things in real life, but many things 10 year ago was also impossible for us what we are using now, I mean we must start do something what will bring good result in a future. Nothing happens immediately, in case of the law related cyber space, will be very difficult to regulate and hold cyber space in secure.

5 Also I want to mention that such organizations like CERT's are not only connected with national security, this organizations are much more bigger, I would say that it is international level and in my point of view they are improving security not only on a national level but also on international, because cooperation with other organizations like other states CERT's help them to improve and high a level of security in other states also. I want to say that it is very difficult to say what is national cyber security? As cyber space don't have territory's, how to realize what is national and what is not? For example it is too many hosting and cloud services in many states. Can I say that I am a part of national security of the state where I am using cloud or hosting services? Or maybe I use this services for harm reasons. It is why I want to say that national security is linked with everything what is in a state. In this case the thread is inside state and it becomes easier to gather something. Imagen if one IT company using ISP service for cloud or hosting, where they can store information about sold hardware and software. And one of the important infrastructure using this IT company for outsourcing for hardware or software. If this information will misses to wrong hands. They will know what are you using and after that they will start preparing attacks and searching bugs end vulnerabilities of this hardware or software. I think that everything is connected and we must close our eyes for some things when it is retaliated to much more hight level like national security. I think that it is important to give power to such organizations like CERT, because the roles which they are playing in national cyber security is pretty big. And when we are speaking about national level of information security we cover everything what covers Information technology, and in real life it is everything. For lawyers it is difficult and hard job to understand and realize how it works in cyber space. But I think it must done, in some case we can apply some things at least from international law. I hop that in the future it will be more regulated and safe for users to use cyber space.