ESTABLISHMENT OF A CERT BODY IN BOSNIA AND HERZEGOVINA
advertisement
DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans ESTABLISHMENT OF A CERT BODY IN BOSNIA AND HERZEGOVINA AUTHOR: Dr. sc. SABINA BARAKOVIĆ* Executive Summary The way people communicate, obtain and exchange information, entertain, do business, take care of their health and environment, learn, govern, etc. has evolved with the phenomenal growth of communication networks and information systems in Bosnia and Herzegovina and worldwide. Given the fact that the majority of records and processes containing information in Bosnia and Herzegovina have been computerized and automated, the country has become extremely vulnerable to disturbances which may affect the functioning of Information and Communications Technology (ICT) systems and the Internet or jeopardize the reliability and security of the information they contain. Furthermore, due to low cyber security awareness, the complex security management organization on the territory of Bosnia and Herzegovina and light technological lag in comparison to advanced European countries, this country is more susceptible to risks and threats in the cyber security domain. Therefore, in order to avoid serious repercussions for individuals, business and society, in case of cyber attacks, the Ministry of Security of Bosnia and Herzegovina (MoS) has initiated the establishment of the Computer Emergency Response Team in Bosnia and Herzegovina – BIH CERT. This text aims to give an overview of the activities and future actions of the MoS, as the corresponding government body in the area of cyber security, focusing on the recommendations for the establishment of the BIH CERT. It argues that the BIH CERT should be a preventive body that gives recommendations for the application and improvement of security measures for protecting the government’s information systems and serves as Bosnia and Herzegovina’s central point for cooperation with international CERTs, thereby contributing to the overall security of cyber space. The mission of BIH CERT should be to continuously increase reliability of critical infrastructure, work on prevention and minimization of possibilities for security emergencies, provide assistance to the administrators of critical infrastructure in applying proactive measures for risk reduction and provide assistance in reducing the consequences of security emergencies. In order to form such a CERT, the Council of Ministers of Bosnia and Herzegovina should: (i) adopt the proposed Action plan, (ii) authorize the MoS to establish the BIH CERT in accordance with the proposed mission, vision, and structure, and (iii) adopt the MoS’s proposal for the Law on Information Security and the Cyber Security Strategy for Bosnia and Herzegovina. the backbone of the economy, because, besides its own share, it has a great impact on other sectors, such as finance, health, energy and transport. That is why threats aimed at compromising exchanged data and information and processes have increasingly serious consequences for individuals, businesses, private and public institutions and society; they could disrupt the Page Communication networks and information systems worldwide and in Bosnia and Herzegovina have experienced phenomenal growth throughout the last decades and become fully present in everyday life, especially because the majority of records and processes containing information have been computerized and automated. Also, the ICT sector and the Internet have become 1 Background DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans Bosnia and Herzegovina and cyber security Advanced European countries have raised awareness regarding previously mentioned issues, because their citizens require trust and confidence when conducting various activities online, such as making purchases, banking or disclosing personal information. Consequently, their governments have not only established and strengthened specialized units for enhancing cyber security harmonized their In comparison, Bosnia and Herzegovina hitherto has made quite small steps in this field. Namely, the country is organized in a complex way (with two entities, Federation of Bosnia and Herzegovina, which consists of 10 cantons, and Republic of Srpska, and Brčko District). Consequently, the security management sector is equally complex. Due to that fact, there are multiple security bodies and police agencies operating on the territory of Bosnia and Herzegovina, but on different levels (state, entity and canton). On the state level, there are several security management bodies. Firstly, there is the MoS, whose competences are not defined by the Constitution of Bosnia and Herzegovina [4], but within the Law on ministries and other administrative bodies in Bosnia and Herzegovina [5][6]. Given the complexity of the security management structure and the country itself, especially the opposite political stances and goals within Bosnia and Herzegovina, one may comprehend why it is so challenging and slow to perform activities in this sector, such as initiating strategic activities, taking decisions, assuming responsibility and many others that would benefit the country and its citizens. Furthermore, in comparison with international and comparative law, Bosnia and Herzegovina’s legislation has not adequately kept up with progress in the information security field and thereby neither in cyber security. On the one hand, at the state level, there is no law on information security or cyber security, while the existing legislation only partially covers these hot issues. On the other hand, when it comes to international documents, Bosnia and Herzegovina has signed several agreements and conventions whose regulations are relevant for information and cyber security. The most important of which are the Stabilisation and Association 2 All previously mentioned issues leave no doubt that countries all over the world must significantly improve their cyber security capabilities, while government, academia and industry must work together to develop and adopt cyber security solutions to keep pace with this dynamic threat environment. Additionally, investment in cyber security can be considered from another economic aspect; cyber space may be seen as a possibility and a resource. A safe cyber space makes it easier for individuals and businesses to plan their activities, which in turn boosts economic activity. Also, cyber security itself is a new and strengthening business area. In addition to the increasing job opportunities and tax revenue, society accrues benefits from this strengthening business sector in many other ways [3]. capabilities, but also legislation accordingly. Page supply of essential services that we take for granted, such as water, electricity, mobile services, etc. Therefore, information mismanagement literally translates into millions in losses – either direct losses or opportunity losses for individuals or organizations. Led by this knowledge and common sense, one can conclude that assuring information security in this interdependent, multipurpose electronic data processing environment called cyber space is a priority for each individual, organization and society in general [1][2]. DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans All these above-mentioned reasons – inactivity, low cyber security awareness, the complex security management organization, unadjusted legislation, light technological lag, low internal and international cooperation in cyber security and low qualification level – have made this country more susceptible to risks and threats in the cyber security domain. CERT body in Bosnia and Herzegovina The Strategy provided the formation of the Working Group for the establishment of BIH CERT. The MoS has submitted a draft Decision on establishing and appointing the Expert Working Group which was formed by the Council of Ministers at its 168th session held on December 7th 2011 [12]. During its mandate, the Working Group has established connections with relevant international organizations, such as the North Atlantic Treaty Organization (NATO) and the Organization for Security and Cooperation in Europe (OSCE). Also, the Working Group has connections with other CERTs in Europe, the European Union Agency for Network and Information Security (ENISA), Task Force Collaboration Security Incident Response Teams (TF-CSIRT), etc. because it has been authorized to represent Bosnia and Herzegovina in CERT matters. In addition, its members have organized several study visits for the purpose of collecting experiences of other countries more experienced in CERT 3 The scarcity and disharmony of legal regulations in the field of information and cyber security in Bosnia and Herzegovina indicates that there is a need for the government to adopt a systematic approach at the state level for treating these matters. Each postponement of new legislative adoptions and harmonization further complicates the situation, distorts the application of European Union (EU) recommendations [9][10], supports the technology lag of the country and exposes all information systems in Bosnia and Herzegovina to great security risk. In addition, because the country’s objective is to accede to full membership in the EU, Bosnia and Herzegovina must inevitably adopt new legislation and harmonize its current legislation regarding cyber security with the EU’s, and reorganize existing or establish corresponding bodies to enforce that legislation. Specifically, this refers to the requirements of the new Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace [9] and the proposed Directive of the European Parliament and of the Council Concerning Measures to Ensure a High Common Level of Network and Information Security Across the Union [10] that are about to be adopted at the EU level. Therefore, in accordance with its governmental competences, the MoS has proposed The Strategy for Establishment of CERT in Bosnia and Herzegovina (hereinafter: The Strategy) [11]. The Strategy takes into account the serious repercussions for individuals, business and society that the previously described situation could cause and EU recommendations on the formation of cyber security bodies in all member countries and potential member countries. With the Strategy, the formation of the Computer Emergency Response Team (CERT) in Bosnia and Herzegovina – BIH CERT – has been initiated. The Strategy was adopted by the Council of Ministers at its 156th session held on July 28th 2011, thereby becoming the first document at the state level dealing concretely with cyber security issues. Page Agreement (SAA) [7] and the Convention on Cybercrime [8] by which Bosnia and Herzegovina has undertaken the obligation to align its legislation regarding, and establish mechanisms for ensuring, information and cyber security. DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans Vision and Mission BIH CERT has been envisioned as a preventive body that gives recommendations for the application and improvement of security measures for protecting information systems of Bosnia and Herzegovina’s government institutions. Hence, BIH CERT should not include operational problem solving. Although it is not yet established, the vision of BIH CERT should be based on the fulfilment of several assumptions: • BIH CERT should achieve adequate coordination and cooperation between the relevant bodies in Bosnia and Herzegovina; • The scope of cooperation should also be expanded into the fields of industry, education and development, through coordination with manufacturing companies, higher education institutions and research centres; • The activity of BIH CERT should be expanded outside the borders of Bosnia and Herzegovina by Further on, the mission of BIH CERT should be to continuously increase the reliability of critical infrastructure, work on prevention and minimization of possibilities for security emergencies, provide assistance to the administrators of critical infrastructure in applying proactive measures for risk reduction and provide assistance in reducing the consequences of security emergencies. The activities of BIH CERT should be proactive and reactive. Namely, in a proactive sense, BIH CERT should act before an emergency or other event that may endanger the security of the information systems, for the purpose of preventing or mitigating possible damage. On the one hand, those proactive measures should include: (i) providing security warnings; (ii) monitoring ICT security technologies; (iii) disseminating information from the field of ICT security; (iv) promoting awareness of the importance of ICT security; and (v) offering ICT security education and training. In addition, proactive measures should be published. On the other hand, reactive activities should include support in processing ICT security emergencies in several aspects, such as: (i) determining an emergency, which includes determining whether an observed emergency could be classified as an ICT security emergency and the scope of the emergency, together with developing and distributing security warnings; (ii) coordinating emergency solutions, which includes cooperating and coordinating with CERTs or 4 The Strategy, the Working Group or the formation of a preventive body such as BIH CERT will not solve cyber security issues in Bosnia and Herzegovina per se; however, they are important steps towards systematically building infrastructure in the government’s overall strategy to put cyber space in order through legislation, i.e., assuring and improving cyber security by adopting new or harmonizing existing legislation in this field. cooperating with international CERTs, organisations such as ENISA and TFCSIRT and international computer manufacturing companies (hardware and software), all for the purpose of mitigating or eliminating the consequences of security emergencies. Page matters. More important, however, is the creation of the Action Plan which is still pending adoption by Council of Ministers. The following subsections summarize the recommendations on BIH CERT formation provided by the adopted Strategy [11] and proposed Action Plan [13]. DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans Besides serving an advisory role, another goal of BIH CERT is education. In that context, BIH CERT should publish bulletins with the latest information regarding security and proactive measures for mitigating risks on a continuous basis. Education also includes organizing workshops for critical infrastructure security administrators on a regular basis. With the realisation of its mid-term goals, BIH CERT should identify other information systems that require assistance in security issues and expand its activities towards them. Together with the continuous evaluation of the state of critical infrastructure security and critical infrastructure administrators' education, this will generally improve the state of security. BIH CERT’s long-term goal is to support the establishment of CERTs on different state levels as well as in the private and academic sectors. There are two models based on which the BIH CERT body could be established: • Model 1: BIH CERT as an independent administrative organization or special body of the corresponding ministry; • Model 2: BIH CERT as a constituent of the corresponding ministry. The first model would require the adoption of a state law on BIH CERT that would arrange all aspects of its functioning, beginning with the establishment, definition, financing, competences, organization and management. However, it is not EU practice to adopt regulations on CERTs, but instead to adopt a law on information security and thereby, in a broader context, define rights and obligations of all counterparts in the field. CERTs in EU Member States are usually established by government decision. As previously recognized, the need to adopt the law on information security in Bosnia and Herzegovina is not questionable; BIH CERT establishment contributes to the actualization and acceleration of the adoption of the law. However, the efficiency of this model is questionable, since one cannot estimate the time required for adopting regulation. As well, the financial and human resources in the context of this model are difficult to plan or acquire in this period of crisis, because everything must be built from the scratch. In that situation, the quality of BIH CERT information system and communication would be strongly affected. The second model may use the existing Law on ministries and other administrative bodies in Bosnia and Herzegovina for establishing BIH CERT [5]. Namely, according to competences defined by Articles 10 and 14 of the Law, BIH CERT may be incorporated within the Ministry of Transport and Communication and the 5 Further on, when it comes to elaborating short-, mid-, and long-term strategic goals, BIH CERT should immediately, upon establishment, submit a request for registration/accreditation by the relevant international institutions. In addition, BIH CERT should establish direct communication and cooperation with ENISA, TF-CSIRT, national CERTs from the region as well as the most significant CERTs in Europe and world. Also, BIH CERT should identify critical infrastructure in Bosnia and Herzegovina that needs protection and establish contacts and define rules for information exchange with their administrators. The Proposed Structure Page other relevant bodies in Bosnia and Herzegovina; and (iii) providing emergency solutions, which covers security warnings and coordinating in solving emergencies [11][13]. DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans Conclusion This text has aimed to give an overview of the current situation in the field of cyber security in Bosnia and Herzegovina and describe the activities of the MoS in establishing the preventive BIH CERT. The procedure of institutional establishment of BIH CERT has not yet started, because opposite political interests and stances in Bosnia and Herzegovina have affected the adoption of the previously described Action Plan [13] and halted progress in this important apolitical field. In the broader context of the current institutional crisis in Bosnia and Herzegovina, the establishment of such a body on the state level will send a positive signal to citizens and the international community and result in many other benefits. Thereby, the government's commitment to EU and NATO integration would be confirmed and no longer characterized as only declarative. In addition, it would strengthen Bosnia and Herzegovina in many fields and boost economic activity, since the country would be represented as a safe country for business investment [2]. 6 The Action Plan [13] also suggests the formation of a Council of Minister's coordination body whose primary task would be to solve and mitigate existing problems through recommendations and support the establishment of BIH CERT and other CERTs in Bosnia and Herzegovina. The body would also publish mandatory recommendations to parties of interest, suggest the adoption of regulations harmonized with EU and NATO standards and recommendations, insist on harmonization of existing laws, coordinate the activities between the ministries and law enforcement agencies regarding cyber security issues, suggest and initiate media campaigns and similar activities to raise awareness, and generally perform activities related to BIH CERT. However, it is only a question of time until the documents is adopted and activities towards ensuring cyber security in Bosnia and Herzegovina reinitiated. That will be accomplished firstly due to EU recommendations and prerequisites that the country will need to fulfil in order to accede to the EU, which is the main foreign policy objective of the country. Those prerequisites include, as previously stated, the adoption of new legislation and harmonization of current legislation regarding cyber security with the EU’s, and reorganization of the existing or establishment of corresponding bodies to enforce that legislation. Secondly, this project has no political dimension and the proposed structure of BIH CERT, together with its mission, activities and goals, is flexible and acceptable for all parties in Bosnia and Herzegovina. BIH CERT is envisioned as an expert body that has an advisory and coordinating character. Moreover, in the international context, the establishment of such body in Bosnia and Herzegovina is desirable, because cyber threats know no geographical or political borders. Page Ministry of Security. In this case, the structure of BIH CERT may be regulated by the decision of the Council of Ministers, on which basis one may estimate the implementation time, i.e. establishment efficiency. In this case, BIH CERT would receive financial and administrative support from the existing resources of the corresponding ministry. DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans The Council of Ministers of Bosnia and Herzegovina should adopt the proposed Action plan produced by the Working group; The Council of Ministers should authorize the MoS to establish BIH CERT; The MoS should establish BIH CERT in accordance with the proposed mission, vision, and structure; The Council of Ministers should adopt the MoS’s proposal for the Law on information security and the Cyber security strategy for Bosnia and Herzegovina. Page 7 Recommendations DCAF Young Faces 2014 – Cybersecurity Winter School for the Western Balkans Bibliography [1] Sabina Baraković, “Personal data protection in cyber space in Bosnia and Herzegovina,” (presentation held at Cyber Space Data Protection Conference, Sarajevo, Bosnia and Herzegovina, October 29-30, 2014). [2] Sabina Baraković et al., “Overview of the Current Situation in Bosnia and Herzegovina with Focus on Cyber Security and Fighting Cyber-Crime by Establishment of BIH CERT Body,” in Cyber Security and Resiliency Policy Framework, ed. Ashok Vaseashta et al. (IOS Press, 2014), 65-81. [3] “Finland’s Cyber Security Strategy. Secretariat of the Security and Defense Committee,” January, 2013, http://www.yhteiskunnanturvallisuus.fi/en. [4] “The Constitution of Bosnia and Herzegovina,” accessed November 18, 2014, http://www.ads.gov.ba/v2/attachments/1951_USTAV _BOSNE_I_HERCEGOVINE_bos.pdf. [5] “The Law on Ministries and Other Administrative Bodies in Bosnia and Herzegovina,” in Official Gazette of Bosnia and Herzegovina, 2/03, 26/04, 42/04, 45/06, 88/07, 35/09, 59/09, 103/09, accessed November 18, 2014, http://www.ads.gov.ba/v2/attachments/1978_ZAKO N_O_MINISTARSTVIMA_INTEGRALNI.pdf. [6] “Official Website of the Ministry of Security of Bosnia and Herzegovina,” accessed November 18, 2014, http://www.msb.gov.ba. [7] “Stabilisation and Association Agreement,” June, 2008, http://www.dei.gov.ba/bih_i_eu/ssp/default.aspx?id =1172&langTag=en-US. [8] “Convention on Cybercrime,” November, 2001, http://conventions.coe.int/Treaty/Commun/QueVoul ezVous.asp?NT=185&CL=ENG. [9] “Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace,” February, 2013, http://www.eeas.europa.eu/policies/eu-cybersecurity/cybsec_comm_en.pdf. [10] “Directive of the European Parliament and of the Council Concerning Measures to Ensure a High Common Level of Network and Information Security Across the Union,” February, 2013, http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:201 3:0048:FIN:EN:PDF. [11] “The Strategy for Establishment of CERT (Computer Emergency Response Team) in Bosnia and Herzegovina,” Council of Ministers of Bosnia and Herzegovina, July, 2011, http://www.msb.gov.ba/dokumenti/strateski/default. aspx?id=6248&langTag=bs-BA. [12] “Decision on Establishment and Appointment of Expert Working Group for Conduction of All Necessary Preparations for the Formation of CERT Body in Bosnia and Herzegovina,” December, 2011, http://www.sluzbenilist.ba/Sluzbeni%20dio/Sluzbeni %20glasnik%20Bih/2012/broj6/Broj006.pdf. [13] “Akcioni December 2011. plan uspostave BIH CERT-a”, * Dr. sc. Sabina Baraković was Professional Associate in the sector for informatics and telecommunication systems of the Ministry of Security of Bosnia and Herzegovina when taking part in the DCAF Young Faces Network 2014 cycle. All opinions and evaluations contained in the paper are those of the author and cannot be attributed to DCAF or any institution to which she is affiliated. The factual background for the paper might have been overtaken by events since early 2015. Page 8 http://www.dcaf.ch/Region/Southeast-Europe/DCAF-Southeast-Europe-Regional-Young-Faces-Network
