Transcript Protection of Classified Information & Cyber Security

Bruno VERMEIRE
Belgian NSA INFOSEC
Competent PRS Authority
Federal Public Service Foreign Affairs
[email protected]
++32.2.501 4573
•
•
•
•
•
•
•
Legal Principles
Classified Information (CI) a target?
The BEL NSA
Belgian Cyber Security Strategy
Protecting CIS handling CI
Outsourcing
Challenges
• National Security Authority : Preventive
• Police : Proactive, Reactive
• Justice : Repressive
• Paper world thinking  Cyber thinking
• CI = protection of national assets + assets of
other states on the territory
• CI = targeted with sophisticated tools, even
when not connected
Are we target ?
yes,
all CIS handling CI are targeted
• 8 administrations:
– Includes all principles
– Collegial decisions
• Cyber is not within the legal framework for
protecting CI
• Legal framework cyber includes the protection
of CI
– BEL CERT, limited services
• Mil CERT
• BELNIS
– All BEL administrations with cyber security responsibility,
includes BEL NSA
• Strategy approved by the government
– Includes
•
•
•
•
Mechanism for approving security products
Accreditation of systems beyond protection of CI only
Implementation probably next Government
Strong focus on centralised approach, awareness & education
• Appropriate cyber crime regulation
– Includes adaption of Budapest Convention on Cybercrime
• Pro’s
– Appropriate security installed
– Appropriate separation
– Very good documented
– trusted users
• Contra
– data exchange high risk (MemStick, DVD, …)
– patch policy not easy to implement
– Off line, direct assessment difficult
– Wireless (3G, 4G, WiFi, …)
• Focus on
– Vulnerability assessment
– Protection
– Trusted products
• Creating technical legal framework (cyber
security standards for CIS handling CI)
– Civil accredited evaluators
– Government accreditors (BELAC - NSA)
Electronic Surveillance
Cyber Terrorism
Information Assurance
COMPUSEC
Cyber Defense
Electronic Warfare
Electronic Defense
Computer Network Exploitation
Information Operations
Infosec
COMSEC
Computer Network Defense
Cyber Security
Cyber Warfare
Emanation security (EMSEC)
Electronic Attack
ISTAR
Cyber Network Operations
Computer Network Attack
Information Deception
SIGINT
OSINT
Computer Network Offensive
Operations Security (OPSEC)
Cyber Monitoring
•
•
•
•
Gov evolution speed  Internet revolution
No global legal framework
Identification of responsibilities
Recognition as an armed attack/military
domain
• It takes two to tango
– Win/Win  minimal level & equality requirement
• Exposure risk
– If you know what I can detect, …
you also know what I can’t …
– Technology advantage
• People
• Knowledge & Training
• Computers & networks
Cyber Capabilities must be developed during
personnel and budget cuts…
Thank
You !!