From CERT-Hungary to National Cybersecurity Centre

Ferenc Suba LLM, MA

Chairman of the BoardPTA CERT-HungaryVice-chair of the MBENISA

CERT-Hungary

- Started as a project by the Ministry of IT and Communications, now under Prime Minister’s Office- Partnership Agreements with: National Communications Authority, Financial Regulatory Authority, Prime Minister’s Office, National Bureau of Investigation- Accredited member of FIRST, TI, EGC- Operator of the National Alert Service of Communications as contractor- Responsible for information security of the e-gov backbone network- Trusted partner of the banking and energy sector (WGs) in CIIP, regular exercises-- International co-operations: FI-ISAC, Meridian, IWWN-- CERT capacity building: Bulgaria, South Africa

Government Foundation

- Theodore Puskás Government Foundation- Founded in 1993 by the Government of Hungary, academia, business companies- Governed by the Civil Code, Act on Public Benefit Organisations- Part of the yearly state budget- Supervised by the Prime Minister’s Office- Engaged in technology transfer, information security- Entitled to have business activities (max. 20% of the yearly income)- Flexible organisation, staff motivation, survives government changes- Think tank, preparation of regulation, project management, technical service

e-Commerce Act

- Only tool to motivate the ISPs- Liability clauses: indirect liability for ISPs = ISP is liable for any wrongdoing committed through its system if ISP does not co-operate to make the wrongdoing impossible- Reason: criminals are anonymous + attacks come through the ISPs + only ISPs can effectively take measures against them- Liability forms vary according to the function: content provider, storage provider, access provider, cache provider, information location tool provider- Principle: ISPs liability stands as of an e-mail about the wrongdoing committed through its system has been received

Ministerial Decree on National Alert Servicefor Communications

- Regulates CIIP in communications sector - Defines critical infrastructures legally- Defines incidents flexbily (list updated by the National Communications Authority)- Designates 8 communications providers (biggest ones)- Reporting obligation of the designated providers- Reports on incidents affecting at least 1000 users- Reports received and distributed by the Alert Service Centre- Distribution list: Ministries, Centre for Crisis Management, Services- Alert Service Centre outsourced to CERT-Hungary, under the supervision of the National Communications Authority

Government Decree No 223/2009.on the security of public electronic services

- Sections 8-10: National Cybersecurity Centre- Tasks: crisis management, central governmental system, National Alert Service for Communications, awareness raising, preparation of policy, CIIP collaboration, international representation- Control: Prime Minister’s Office, IT Security Supervisor- Framework: Theodore Puskás Government Foundation, by a public service agreement- Basic services free for the government, value-added services for payment

The Hungarian model

- Bottom-up approach, 5 years of evolution- Establish a flexible organisation- Be close to central government-- Use ENISA and partner MSs as leverage-- Have very strong international background-- Build up PPPs with interested private sectors-- Be not only technical (crisis management, awareness raising, policy making, national and international collaboration) -- Distribute your financial resources (state budget, state project contracts, service contracts, EU and national research projects)

Thank you for your attention and patience!

PTA CERT-Hungarywww.cert-hungary.huPuskás Tivadar Közalapítványwww.neti.huENISAwww.enisa.europa.eu