National Security Authority
1
National Security Authority
Current State of
Cyber Security
In the Czech Republic
2
National Security Authority
Content
 Cyber Security System in the Czech Republic
 Draft legislation
 Practical example – DoS Attacks in March
2013
3
National Security Authority
Cyber Security System
in the Czech Republic
4
National Security Authority
Recent development in cyber security
Ministry of Interior
2010
Memorandum on National Cyber Security Incident Response Team
with the CZ.NIC Association
2011
Strategy for Cyber Security 2011-2015 and accompanying Action
plan
National Security Authority
2011
Decision of the Government n. 781 of 19th October 2011 - NSA
appointed as authority responsible for the field of cybernetic
security
active participation in NATO exercise „Cyber Coalition 2011“
March 2012 MoU with NATO on Cyber Defense signed
2012
Legislative intent of Law on cyber Security approved by the
Government (30th May 2012)
Amendment of Strategy and Action plan
September 2012 Start of operation of the Governmental CERT (IOC)
November 2012 Participation on „Cyber Coalition 2012“ exercise
5
National Security Authority
Entities Active in Cyber Security
 Several teams recognized by the international
CERT/CSIRT community i the Czech Republic
 Operated by private or academic entities
 Crucial are GovCERT at the NSA CZ and National CERT
(CSIRT.CZ) operated by CZ.NIC Association as well as
Military CERT operated by MoD
6
National Security Authority
Responsibilities of the NSA in the field of
Cyber Security
 Decision of the Government n. 781 of 19th October 2011
 NSA appointed as authority responsible for the field of
cybernetic security
 Establishment of Council for Cybernetic Security
 NSA Director has to present draft law on cyber security
to Government
 NSA Director has to establish a fully operational
National Cyber Security Centre till 31st December
2015 and as its part establish Governmental CERT
7
National Security Authority
Cooperation with entities in the Czech Rep.
 Cooperation and consultation with governmental bodies
and public administration
• 2012 survey
• NSA director’s working group of experts
• NCSC director’s working group of CIO’s
 Cooperation with expert’s community
 Cooperation with universities
 Cooperation with other CERT / CSIRT teams - as
national as international
8
National Security Authority
International Cooperation
 NATO – participation at the Cyber Coalition exercise
2011 (as observer) and CC12 (as full participant)
 MAR 2012 – Signature of MoU with NATO on Cyber
Defense
 Information and experience sharing meetings with
institutions in partner countries
 AFCEA – cooperation on the „Dictionary of Cybernetic
Security“
 ENISA – representation of the Czech Republic in ENISA
since JAN 2013
9
National Security Authority
Draft legislation
10
National Security Authority
Basic Principles
 Regulation by law – need to oblige both public
and private entities (operators of critical
infrastructure)
 Individual responsibility of the operator for
security of its network (protection against
external attack and against misuse of its network
for attacks on other networks)
 Division of cyberspace to areas of competence
of Governmental CERT (critical information
infrastructure) and National CERT
 Cost effective, not infringing into rights of the
private entities in an excessive manner
11
National Security Authority
Governmental CERT
Has in its competence:
• IS of Public Governance
• Operators of Critical Information Infrastructure (in
cooperation with Czech Telecommunication Office –
fulfillment of license conditions regarding communication
operators)
Basic duties of operators:
- Establishment of permanent communication channels
with NSA;
- Protection of ICT systems according to NSA
regulations;
- Incident reporting and implementing measures
recommended by the NSA
12
National Security Authority
National CERT
• Operated by private entity on the basis of
public-law contract with the NSA
• Mediates information sharing, particularly
for private entities, academic sphere, selfgovernment, non-profit organizations, not
falling into competence of the
Governmental CERT
13
National Security Authority
Govern
ment
NSA
State of cybernetic
emergency
Prime Minister
CS Commission
Director
National
CERT/CSIRT
Critical
information
infrastructure
ISs of public
governance
Implementation of
security measures
Implementation of
counter-measures
National Cyber Security
Center
Governmental CERT/CSIRT
Reporting of
incidents
ISPs
Cooperation;
Information
sharing
Important
ISPs
Important ISs
14
National Security Authority
Next steps
May 2013
Interministerial consultation procedure to the
draft Law on Cyber Security
June 2013 Submission of the draft to the Government
Září 2013 Submission of the draft to the Government
December 2013 Report on the state of cyber security for
the Governmkent (including private
entities)
beginning 2015
Law on Cyber Security in force
NLT 31/12/2015 Fully operational National Cyber Security
Center
15
National Security Authority
EU Strategy on Cyber Security
 Issued by the Commission in February 2013
 Main tasks:
• Reaching cyber resilience
• Significant reduction of cyber crime
• Development of policy and capabilities of cyber defence in the
framework of Common Security and Defence Policy (CSDP)
• Development of industrial and technological capabilities of
cyber security
• Coherent EU policy regarding cyberspace
 The Czech Republic already fulfils most of the
goals (Cyber Security Strategy,
governmental/national CERT)
16
National Security Authority
EU Directive on Network and Information
Security (NIS)
 Proposed by the Commission in February 2013
 To reach high level of cyber security across the
EU
 Cooperation of the Member States in this field
 Harmonization of standards in the field of cyber
security and facilitation of information exchange
among relevant actors
17
National Security Authority
EU Directive on Network and Information
Security (NIS) – Czech comments
 The draft in line with our policy and we welcome
it
 The Law on Cyber Security shall implement it
into Czech legislation
 We have only partial comments:
• To limit the scope on critical infrastructure
• To allow greater flexibility for the member
states (p.e. to allow more CERTs with
nation-wide responsibility)
18
National Security Authority
Practical example
DoS Attacks in March 2013
19
National Security Authority
The Course of the Attacks I
• Monday 4th March – the attack targeted news servers;
The servers involved were the largest and most visited
news servers in the Czech Republic.
• Tuesday 5th March – the mainpage and login page of
Seznam.cz, the largest portal and search engine in the
Czech Republic with more than 150 000 daily registered
users, was targeted. Seznam.cz was unavailable from
10:00 a.m. to 11:30 a.m. The attack reoccurred around
1:30 p.m. and resulted in intermittent unavailability of
servers.
20
National Security Authority
The Course of the Attacks II
•
•
•
Wednesday 6th March – The attack targeted web servers of all
major banks resulting in unavailability of their webpages and
internet banking services from cca 9:30 to 11:00 a.m. The ecommerce service and some ATMs of Česká spořitelna bank were
not operational for a short period of time as well. The second wave
of attacks on the servers of Česká spořitelna bank came at 2:00
p.m.
Thursday 7th March – the attack started at 9:30 a.m. and targeted
servers of two (of three in total) major mobile telecom operators
(Telefonica O2 and T-Mobile). Telefonica eliminated the attack
around 10:00 a.m., T-Mobile around 11:00 a.m.
Various other services were affected by the attacks as well
(including the servers of the state governance) due to shared
infrastructure. However, no critical infrastructure got involved.
21
National Security Authority
Types of Attacks
The attacks utilized so called “three-way handshaking”
feature of the Transmission Control Protocol (TCP)
22
National Security Authority
Types of Attacks – SYN Flood
• The first attack (carried out on Monday and Tuesday) was a so
called “SYN flood” type of attack.
• Large number of SYN messages is sent to the targeted server which
replies with SYN-ACK messages.
• However, the ACK message never comes and since the targeted
server has to allocate certain capacity for the expected connection,
its resources are soon depleted.
23
National Security Authority
Types of Attacks – DRDoS
• The second type of attack (carried out on Wednesday and
Thursday) was Distributed Reflection Denial of Service (DRDoS)
type of attack.
• The attacker sends SYN messages with spoofed IP address of the
target to the third-party servers (reflectors).
• They reply with SYN-ACK messages to the target server and
overload its capacities.
24
National Security Authority
Conclusions
• No damage, but a lot of media attention.
• No one claimed responsibility and also the motive remains unknown.
• The tracking of packets during the attack showed that they came
from the RETN network operated mostly on the territory of the
Russian Federation. Further tracking was not possible according to
the RETN operator.
• The attacks were the first of similar scope on the territory of the
Czech Republic and proved to be valuable exercise of cyber security
cooperation and capabilities of the private, state and academic
entities.
• The cooperation and information sharing considerably improved
during the attacks and resulted in improved response to the attacks
which was probably the reason why the attacker ceased activities
after four days.
25
National Security Authority
Lessons learned
• The legal basis for sharing important operational data
among various companies and institutions active in
cyber-security has to be established.
• The entities have to pay attention to the design of their IT
infrastructure from the security perspective and include it
in their crisis plans.
• The network of points of contact in the most important
companies and institutions has to be established and
updated.
26
National Security Authority
End of Presentation
Questions?
27