Bruno VERMEIRE Belgian NSA INFOSEC Competent PRS Authority Federal Public Service Foreign Affairs Bruno.vermeire@diplobel.fed.be ++32.2.501 4573

homuskratNetworking and Communications

Nov 20, 2013 (3 years and 6 months ago)

78 views

Bruno VERMEIRE

Belgian NSA INFOSEC

Competent PRS Authority

Federal Public Service Foreign Affairs

Bruno.vermeire@diplobel.fed.be

++32.2.501 4573


Legal
Principles


Classified Information (CI) a target
?


The BEL
NSA


Belgian Cyber Security
Strategy


Protecting CIS handling
CI


Outsourcing


Challenges







National Security Authority : Preventive



Police : Proactive, Reactive



Justice : Repressive




Paper world thinking


Cyber thinking


CI = protection of national assets + assets of
other states on the territory


CI = targeted with sophisticated tools, even
when not connected

Are we
target ?

yes,

all
CIS handling CI are targeted


8 administrations:


Includes all principles


Collegial decisions


Cyber is not within the legal framework for
protecting CI


Legal framework cyber includes the protection
of CI


BEL CERT, limited services


Mil CERT


BELNIS


All BEL administrations with cyber security responsibility,
includes BEL NSA


Strategy approved by the government


Includes


Mechanism for approving security products


Accreditation of systems beyond protection of CI only


Implementation
probably next
Government


Strong focus on centralised approach, awareness & education


Appropriate cyber crime regulation


Includes adaption of Budapest Convention on Cybercrime


Pro’s


A
ppropriate security installed


Appropriate separation


Very good documented


trusted users


Contra


data exchange high risk (
MemStick
, DVD, …)


patch policy
not easy to
implement


Off line, direct assessment
difficult


Wireless (3G, 4G,
WiFi
, …)



Focus on


Vulnerability assessment


Protection


Trusted products


Creating technical legal framework (cyber
security standards for CIS handling CI)


Civil accredited evaluators


Government accreditors (BELAC
-

NSA)


Computer Network Exploitation

Cyber Terrorism

Cyber Warfare

Cyber Security

Cyber Defense


Cyber Monitoring

SIGINT

Information Operations

OSINT

Electronic Warfare

Information Deception

Operations Security (OPSEC)

Emanation security (EMSEC)

Information Assurance

Infosec

COMSEC

COMPUSEC

ISTAR

Electronic Defense

Electronic Surveillance

Computer Network Defense

Computer Network Attack

Cyber Network Operations

Computer Network
Offensive

Electronic Attack


Gov

evolution speed


Internet revolution


No global legal framework


Identification of responsibilities


Recognition as an armed attack/military
domain


It takes two to tango


Win/Win


minimal
level & equality requirement


Exposure risk


If you know what I can detect, …

you also know what I can’t …


Technology
advantage



People


Knowledge & Training


Computers &
networks



Cyber Capabilities must be developed during
personnel and budget cuts…


Thank

You

!!