Archive for February 2nd, 2018

h1

Ukrainian “Cyber Threat Response Centre” opens

February 2, 2018

In late November and again in early December 2017, entries appeared relating the imaginatively titled framework law for Ukrainian cyber security and defence – “About the basic principles of providing cyber security for Ukraine“.

For once a thoroughly decent framework law – perhaps to be undone or warped by subordinate statute and Resolutions or not.  Time will tell.

The December entry raised a few technical, logistical, infrastructure, command and control, structure and process, not to mention ethical questions:

“That particular entry highlighted the number of agencies and institutions with clear legislative responsibilities, and also a new State Owned Enterprise (SOE) set up under the umbrella of the Ministry of Infrastructure, as well as the creation of a “General Secretariat for Digital Infrastructure”  within the Ministry of Infrastructure.

The usual ensemble of spooks, law enforcement, State institutions and government.

As stated, there is nothing wrong with the framework law,  Indeed it appears to provide a suitable frame to hang what will be a raft of subordinate laws upon.  The devil will naturally be found within the details of subsequent laws required to complete and compliment the above linked legislation.

Currently that framework law defines what will be covered, and as importantly what will not be covered.  There is thus great scope for creativity by these influencing bodies, and for testing the elasticity of prose within an already (deliberately) loose statutory framework.

There will inevitably be FISA 702, or Investigative Powers Act, (or similar national equivalents) dilemmas to address – and no matter how many national deviations there may be, when it comes to sharing/providing access to partners, such domestic legislation has a far broader impact than purely domestic solutions.

Ergo, if Ukraine is heading “west”, whatever 702 or IP statute equivalent it arrives at, the statute should probably be approximated accordingly.

While the NSA and/or GCHQ and several others may well be able to kick the Ukrainian cyber door down, or perhaps better phrased, take a peak inside and poke about, it pays to have a legal mechanism that can open the door willingly too – to the extent that is appropriate for partners as and when deemed required.

However, cyber naughtiness is not restricted to espionage and counterespionage – be it State or corporate.  There is a convergence of organised crime and terrorism within the cyber realm that represent real threats to the State, and corporations too.  This notwithstanding a duty of State to protect its citizenry not only from such threats, but also from each other.

There are thus judgement calls to be made over issues such as exploits.

Which weaknesses to inform corporations about so that patches can be created, promulgated and installed – and which will be kept for tools of the espionage trade?  After all, no agency can be expected to be efficient if they have no tools to work with – but there is an overriding requirement to protect citizenry, corporation and State from hostile acts that would, or could, affect their safety.

Therefore the best tools are those that are not easy to find by adversaries to employ themselves, yet have a desired reach when it comes to penetration, and have an impact on public safety that is considered minimal enough not to require immediate patching.  There needs to be an array of tools.  Tools specific to the software.

Like all matters relating to the State, there are structures, processes, and implementation issues – and clearly the blog is staying well away from the intricacies of techy issues, for they fall far beyond its competency and understanding.

It is perhaps also wiser to talk less of offence and more about defence for the sake of certain sensitivities..

What issues will have to be effectively and unambiguously tackled – particularly so when talking of incident response when incident prevention fails?

The first will be government communication to business and constituents.

No differently to a terrorist attack, there is a “golden hour” (or a few hours) immediately following it during which an incident is framed.

It is not a time for speculation, hunches or intuition.  It is a time for accuracy.  If there is no new update, the update is there is nothing new to say – yet.  Neither silence, nor filling the silence with bunkum is useful.  Accurate and frequent updates is all that is required, and all that should be offered during the “golden hour(s)”.

One look at the agencies involved within the Ukrainian cyber security/defence legislation – CERT UA, the State Service for Special Communications and Information Protection of Ukraine, the State Center for Cyber ​​Defense, the National Police, the “agencies” (SBU, and FISU), the MoD, the NBU, the National Security and Defence Council (NSDC) and now Ministry of Infrastructure via its new SOE and “General Secretariat for Digital Infrastructure” – generates far too many talking heads, all of which have leaders who like to talk publicly (often about things they know very little about).

To be effective in the task of cyber defence and security, there is a requirement for tech industry input from outside the State institutions and agencies too – perhaps in real time as an incident unfolds.  After all, most data, data experiences and expertise is found outside of government agencies and institutions.

Perhaps the only thing worse than a government that does nothing when a reaction is required, is a government that deals with things in a half-arsed way when it does react.  Inclusion is good when it comes to formulating a response, but public communication has to be accurate and clear to be effective during and in the immediate aftermath of a public cyber incident.

That requires all but one of the talking heads from the list above to shut up.

More generally, there should be but one source for official advice and public statements to avoid misunderstandings among business and the constituency alike.  Bits of contradictory or unofficial comment, or just as bad, the need to go to several places to gather in all relevant information is folly.

In short a lead agency is required, to which all other agencies defer and direct others to in the public realm.

That said, ultimately a government or lead agency is not responsible for insuring everybody keeps their software patched.  The aftermath of an incident therefore may not be entirely reflective of the government ability to deal with it.

A more difficult issue perhaps is identifying a vulnerability to a software provider that refuses, or that is less than timely in producing a patch.  How to gain such compliance without drawing attention to that vulnerability by those that would exploit it?

Another question is where, if necessary, do all those involved in any incident response meet?

There are perhaps things that cannot be, or should not be done remotely.  There may be a need for all to see simultaneously, how an incident is unfolding, the solutions tried and the effects they have.  A requirement to abandon tech communication and talk face to face – whether it be due to the repercussions or implications of an attack, or simply a conference call with so many people being unmanageable.

The logical answer is to gather at the place where the most expertise and technical ability is centered – but where is that?  Do those from without government institutions and agencies require clearance to get in there – or see what they are to see, and hear what they are to hear?

Does that present potential for creating insider threats, or perhaps decrease them through lessons learned?

Which tech and industry sectors would be required from outside?  In what numbers to gather in the right insight and sector mass?

Who decides?  Who decides who decides?

How to create not only the statute required to fill out the current framework legislation, but define the structure and processes for effective implementation?”

On 2nd February, Secretary of the National Security and Defence Council (NSDC), Olexandr Turchynov opened the Ukrainian “Cyber Threat Response Centre” (CRC) – “Today we are opening the Center for Responding to Cyber ​​Corps, this is the core of cyber defense of our country.”  

Not before time considering Ukraine has been a cyber petri dish for Russian cyber experiments – notwithstanding attacks.

So what is the CRC?

It appears to be a location hosting a technical platform for the interaction of the multitude of government departments, spook and policing agencies.

It is unclear whether the CRC includes provisions for any (suitably cleared/vetted) private companies or corporations – though they will certainly be required to man the gates with, and/or otherwise “assist” The State in the cyber arena on occasion.

Obviously the CRC will also necessarily have to be able to liaise and interact with NATO, the EU and other partner nations in real time – after all not all cyber attacks upon Ukraine remain within Ukraine, and not all cyber attacks on other targets outside Ukraine can be guaranteed to remain outside.  With an internet necessarily connecting systems and people, unintended consequences can sometimes occur (and where they don’t connect, the human factor by malice or negligence normally manages to breach security eventually).

Also of note, the rumour circulating once again relates to the long muted “Cyber Troop”, to be built around the FISU (Foreign Intelligence Service of Ukraine) and Military Intelligence (HUR MOU) – both being proactive/offensive agencies active beyond the borders of Ukraine.

Should the “Cyber Troop” become a structural reality (regardless of any unofficial realities currently), whether or not, and to what extent, it would be involved with the CRC remains unclear.

Nevertheless – progress!

%d bloggers like this: