Bruno VERMEIRE Belgian NSA INFOSEC Competent PRS Authority Federal Public Service Foreign Affairs Bruno.vermeire@diplobel.fed.be ++32.2.501 4573 • • • • • • • Legal Principles Classified Information (CI) a target? The BEL NSA Belgian Cyber Security Strategy Protecting CIS handling CI Outsourcing Challenges • National Security Authority : Preventive • Police : Proactive, Reactive • Justice : Repressive • Paper world thinking Cyber thinking • CI = protection of national assets + assets of other states on the territory • CI = targeted with sophisticated tools, even when not connected Are we target ? yes, all CIS handling CI are targeted • 8 administrations: – Includes all principles – Collegial decisions • Cyber is not within the legal framework for protecting CI • Legal framework cyber includes the protection of CI – BEL CERT, limited services • Mil CERT • BELNIS – All BEL administrations with cyber security responsibility, includes BEL NSA • Strategy approved by the government – Includes • • • • Mechanism for approving security products Accreditation of systems beyond protection of CI only Implementation probably next Government Strong focus on centralised approach, awareness & education • Appropriate cyber crime regulation – Includes adaption of Budapest Convention on Cybercrime • Pro’s – Appropriate security installed – Appropriate separation – Very good documented – trusted users • Contra – data exchange high risk (MemStick, DVD, …) – patch policy not easy to implement – Off line, direct assessment difficult – Wireless (3G, 4G, WiFi, …) • Focus on – Vulnerability assessment – Protection – Trusted products • Creating technical legal framework (cyber security standards for CIS handling CI) – Civil accredited evaluators – Government accreditors (BELAC - NSA) Electronic Surveillance Cyber Terrorism Information Assurance COMPUSEC Cyber Defense Electronic Warfare Electronic Defense Computer Network Exploitation Information Operations Infosec COMSEC Computer Network Defense Cyber Security Cyber Warfare Emanation security (EMSEC) Electronic Attack ISTAR Cyber Network Operations Computer Network Attack Information Deception SIGINT OSINT Computer Network Offensive Operations Security (OPSEC) Cyber Monitoring • • • • Gov evolution speed Internet revolution No global legal framework Identification of responsibilities Recognition as an armed attack/military domain • It takes two to tango – Win/Win minimal level & equality requirement • Exposure risk – If you know what I can detect, … you also know what I can’t … – Technology advantage • People • Knowledge & Training • Computers & networks Cyber Capabilities must be developed during personnel and budget cuts… Thank You !!