Daniel Ionita, Director of CERT-RO’s Analysis, Policy, Cooperation Directorate: Cybersecurity comes at a price. There’s the saying “we’re too poor to purchase cheap things”

Moderator: NIS and GDPR suddenly came into our lives and it appears like they shook us. Is the NIS and GDPR directive something that should scare us, should it be something normal, to protect us? What can regular, not specialized people retain from these two areas and how do they actually influence us?

Daniel Ionita: We shouldn’t be afraid. There are good things which will happen in accordance with NIS and GDPR provisions.

But until NIS and GDPR – because we are talking acronyms – I hope that CERT will have the same impact. It’s the National Response Center for Cybernetic Security Incidents. And I use this occasion to point out that in 6-7 years since its establishment we have gotten into the position of being – or will be – a national NIS implementation authority.

The NIS Directive, as it is known – Network and Information Security directive – alongside GDPR – the General Data Protection Regulation – are two very important documents for the European market which impact Romania.

If we are to look at history, there were talks in 2013 about the European cybersecurity strategy. Back then, those who developed this strategy thought about how to separate things a little.

On the “stage”, there were already actors from both defense and criminal fields. But the European Commission focused, had as an objective the economic area. This is the essence of the European Commission organism.

 That’s when it was agreed to set three pillars of European cybersecurity. The first pillar was NIS – the security of information and networks. The second and third are outside this discussion: cybercrime and cyber-defense, because they are within the responsibility area of CERT.

Returning to the NIS pillar, things were extremely well reasoned. If we want to have economic growth, we need a single European market. If we want to have a single market, we must forget about technological development. To have a digital single market, we need those who use digital services in those markets to also trust them.

To trust using digital services, there needs to be cybersecurity.

And we got to the necessity of the NIS Directive.

So the directive which regulates the main pillar, the economic one from the cybersecurity strategy. If things stand this way, there was also a need to set an authority to do this.

The NIS Directive was approved in 2016. Its enactment was scheduled for May 2018.

GDPR provisions are also enacted in May 2018.

Many times we have been asked, as CERT-RO experts, if and how does GDPR affect the area of cybersecurity.

I told them that, despite the fact that the national authority for implementing GDPR is the National Authority for Surveillance of Personal Data Processing (ANSPDCP), from our point of view there is nothing new to what I was saying before: personal data can be affected in the online medium, their confidentiality, their integrity, characteristics, if cybersecurity rules and measures are not followed.

So, from our point of view, there is nothing really new. We said before GDPR that cybersecurity measures must be taken to avoid accessing personal data. Now GDPR comes along and states the same thing stronger and with more sanctions – if these measures are not accomplished.

As such, from our point of view, whoever is safe regarding cybersecurity regulated by NIS is also safe in that of GDPR. It is the common point between NIS and GDPR. These are the European-wide provisions.

Now, we all know that regulations are applied ad literam. The provisions of European regulations simply apply, and those from directives, member states are obliged to transpose them.

Currently, we are in the process of transposing provisions of the NIS Directive into national law.

Moderator: So, after all, there is nothing new, nothing groundbreaking, it is more exact…

Daniel Ionita: It more exact, more clearly defined. I’m coming back to this: it’s a good a question if it should scare us.

First of all, those subjected to the NIS Directive and the bill to transpose out are operators of essential services and digital services providers. And also actors on the market. They are not individuals. No individual will be affected by the enacting of the bill to transpose the NIS Directive.

We are only talking about essential services operators. Those structures which provide services without which we couldn’t discuss about a normal life for citizens. The impact is on the market, in the economic area. The NIS Directive states that essential service operators must be designated until November 9.

So, the directive proposes a six-month period for member states to identify their essential services operators and digital services providers. We are talking here about the online market, about cloud services, about search engines for digital services providers.

But essential service operators are effectively categorized into seven areas, with the most impact being energy, transportations, health, financial…

NIS regulates activity for these extremely important economic fields. Which must be regulated, as I said, they must be regulated so that the services provided by these operators to happen within a normality which would allow the development of the single European market.

Moderator: And we, as individuals, feel more protected?

Daniel Ionita: And we as individuals feel more protected. We are the beneficiaries of these essential services.

If before, power went out and no one was doing anything about it or was not obligated to do so, the provider, if the cause of the essential service’s interruption is an incident of cybernetic security which affect, took over control of an industrial control system, then that essential services provider is required to notify the national implementation authority.

He will certainly know that, if he didn’t take every measure for this to not happen, he will suffer. Therefore, we expect the quality of these services to be better, superior to the one currently existing.

Moderator: Do you have the results of the June 7 simulation, the Cyber Europe drill “Cyber attack against an airport”? What does it show us? What must authorities learn, what must they apply?

Daniel Ionita: We do. The drill is also not new. Since 2010, ENISA is coordinating such cybersecurity drills EU-wide, in which we simulate different scenarios or test the reaction of authorities to different kinds of threats in different simulated scenarios. Of course, coming from the online space, we are talking about cybernetic threats.

This year saw probably the most elaborate drill of its kind until now. Participation was very high, we are talking about almost 900 specialists from 30 states which took part in this scenario.

What did we learn new? We learned again that we cannot go on without cooperation. That we need to start facing the threats in these sectors – transportations are one of the areas covered by the NIS Directive – and that is why ENISA stopped in a first phase, it concentrated in the first year since the enactment of the NIS directive exactly on the scenario of simulating the attack in one of the sectors, of transportations, civil aviation.

We saw that the systems are vulnerable, because for a long period of time the development of systems was focused – somewhat required by the law – on purchasing the cheaper systems, taking on the cheaper offers. Those equipment offers did not always include a cybersecurity component.

Another thing we must learn: security is costly. Equipment used to develop computerized systems must include the cybersecurity component. That’s what we would wish for, we are talking about security by design.

Some would say – and they are partially right – that it would a utopia. Because everyone is trying to make a profit in business. But maybe at least for the essential sectors… We are talking about the Internet of Things. You know very well that there are all kinds of reports. By 2020 there are billions of devices estimated to be connected to the internet. All of these devices – and here come the remarks of those who say we are utopian – even if they were to have security components, they could not be patched later on, either because they are forgotten, distributed, bought, set on the internet by their owners and they do not have a personal responsibility. Yes, but we need to start from somewhere. If we start from the premise that we couldn’t accomplish anything anyway, then we will really not have any results.

Coming back to the drill. I was telling you that it was coordinated by ENISA. National coordinators are the member states’ own CERTs for the EU, and of course that in this context CERT coordinated the action. It took place in our innovation center for cybersecurity, which was actually the pilot project for this center. It’s worth to be noted that Romania had the most participants, was the member state with the largest participation in the drill.

And the scenario was interesting, in the sense that an attack on an airport’s computerized systems was simulated and neither the persons, neither the luggage could be registered. Of course, airplanes stayed on the ground, of course that it creates a state of discontent, a blockage of air services, with all of its consequences.

What we also learned was to be aware, as we’re also talking about awareness. This means to be aware that such scenarios can easily happen if we don’t take necessary security measures.

Moderator: And the philosophy would be that there is nothing both cheap and good quality in cybersecurity…

Daniel Ionita: Yes, but then there is nothing both cheap and good quality in anything. If we had to get to cybersecurity to learn this, we have wasted time. There is also the saying that “we are too poor to buy cheap things”.

Moderator: What risks are there for a user who gets into activities in the cryptocurrency market and how can we avoid them?

Daniel Ionita: There are several risks, types of danger when you talk about engaging in the cryptocurrency market. 

Some of them depend on the currency, not on the crypto, on the currency in the sense that they are most likely in the bank registry, meaning that experts in the banking sector have more details about them. I will stop upon market volatility, the fact that it is not recognized as currency, the fact that it could be a speculative instrument. That’s from what I know from speeches and presentations of financial experts.

But there are also risks regarding cybersecurity and I assume that what your question is referring to.

You realize that, even if we are talking about blockchain technology, it can also be used in business in other ways in its base principles. That’s how it appeared, tied into the virtual currency, but if we use blockchain for certain business processes it’s ok, if we need to go into the cryptocurrency area there are some risks.

I understand that 10% of transactions are affected by theft, hackers also know this, as some of them are speculating cryptocurrency and are trying to profit on it. Then there are also all kinds of currencies which were launched exactly to avoid checks, to cover up the funds’ destination and then the obvious risk is to conflict with legal provisions and with law enforcement.

And finally, there are also the cybersecurity risks I stated earlier.

Now, even if its not about engagement, we also had all manners of incidents in Romania, some of them even recent. We have a guide posted on our site for public institutions on how to take measures against having their resources used by those generating cryptocurrency.

So there are multiple risks, we will stop only upon those related to security and, in the case of cryptocurrency, as with operating the internet in general, we also need to take into account security measures which are so, so simple, well-know and very usually not applied.

Moderator: So firstly we need to apply them, because we know them…

Daniel Ionita: So firstly we need to apply them because they are simple and we know them, its not philosophy. Many say that cybersecurity is not a very technical thing and it depends on the human factor, and they are very much right.

Regardless of what systems you could have, without human action… There was also a joke about a phone. “Are you sure?/ Yes/ Do you really want to install?/ Yes/ Are you sure?/ Yes/ Are you stupid?/Yes”… Because we keep pressing yes and then we are surprised when we get infected.

Moderator: Are you preparing new regulations or obligations for users regarding a better protection against current cyberattacks?

Daniel Ionita: We do. I need to specify that a second step after transposing the NIS Directive is also to draft the subsequent legislation. It’s not that there’s no one bothering with it, a timetable has been already the set, it was even presented by the Communications and Computerized Society minister.

We are waiting for the primary legislation to appear, which will the base for secondary legislation. But strictly on what you’re asking me, it’s about drafting that list of essential service operators and digital services providers, its about setting the requirements to be included in that lists. I won’t present them necessarily in the chronological order or how they will happen, but I will do it overall – this will be decided by ministry experts.

 We want to establish through an inter-ministerial group by government decree, because it is obvious that CERT, as a national implementation authority, will not immediately find the necessary expertise to address the problems of seven sectors which are so radically different. Of course, those from the health sector are familiar with problems regarding health. You can’t compare health apps with those from the energy sector. One of them stores, processes personal data, and the other is about industrial control systems.

And then we proposed to established this inter-ministerial group, with experts from every ministry – when I say ministry I also refer to their subordinated institutions – and where will find the necessary expertise. They need to take part in this group and we can set together the requirements for becoming essential services operators, what are minimum cybersecurity measures which must be taken, how cybersecurity auditors on the NIS area will be assessed – not only in general, those who will make cybersecurity assessments from a NIS perspective for essentials services operators.

All this is subsequent legislation – we are talking government decrees, ministerial orders, decisions of the CERT-RO general director on every level, as they are stipulated in primary legislation, but this will be the second step.

Moderator: Which is very thick…

Daniel Ionita: It is, but we have kept I concentrated somehow. There have been two or three approaches at European level to establish or transform an existing national authority or to affect seven other authorities from the seven sectors. We went with the first option, to develop an already-existing authority.

What was the reasoning behind this? There are three qualities held by the NIS national implementation authority: one is that of authority within itself, of monitoring and implementing, one is that of a team and that function we were already accomplishing as a national CERT and the third, of a contact point, of course we were already a contact point for the area of cybersecurity. And then we decided to use our already-limited financial resources efficiently.

We are taking the institution which already serves two functions, we add only the third one through a developing a new structure within the CERT for monitoring-implementing the NIS directive, and we will see how things evolve later on. Of course we would have wanted to talk about seven authorities with seven sectorial CERTs, but you can’t always have what you wish for.

Moderator: Are you certain that the timetable will also be respected?

Daniel Ionita: There are many factors at play in this. I am certain that we will try to respect the timetable, it is the only certainty I can have.

We have prepared our projects, but you know that there are a lot of factors in this equation. But what I can tell is that the necessity of transposing the directive in all formats that we discussed has been understood, we have not encountered stopgaps. The people, institutions, public authorities which are part of this process have understood its need, necessity and then it is clear that things can go ahead.

Now, maybe we are a bit late compared to the calendar, but you should know that there are very, very few European states, you can count them on your fingers, which have declared that they already implemented the directive.  And declaring is one, reality is another, We could have also declared, but we would rather do it and demonstrate rather than declare.

Moderator: We inevitable get to the statistics side. What do the latest statistics on the frequency of cyberattacks registered in Romania? Are we under siege?

Daniel Ionita: We are attacked, but you should know that it’s not only us. Cyberattacks happen daily, attempts by other persons to use our resources are commonplace.

If we are to look on the statistics, I will specify data which is included in the annual CERT-RO activity report, actually to a report which annexed to the CERT-RO report, specifically the report regarding security incidents in 2017. It’s not the newest one, but I require permission to only focus on the CERT one, because that’s what I can talk about.

For the sampled period, January 1-December 31, 2017 we processed approximately 140 million cybersecurity alerts. 82% of them refer to vulnerabilities. It’s obvious that not all of these vulnerabilities were exploited. What we say in the report is that they can be exploited. I think more important – and also the essence of your question – is to ask why are we in this situation?

And that’s because one of the causes is user education in cybersecurity. Of course, some are interested in this security, while others are less interested. Some prefer the quickness of information transfers and are not very focused on security, to each his own.

I was telling you that these regulations must be done step-by-step and must start from key-sectors of the economy. We can’t stop to consider the opinion of every individuals who decides how he installs his application on his phone. But what is observed from our report is that we see repeating security alerts which refer to older vulnerabilities, which do not affect recent, updated operation systems. So it is obvious that in the national cyberspace we are still using outdated operating systems, without a license, downloaded from the net without a license. But, if they don’t have a license, they cannot apply the security patches. Of course that this also has a financial reason, maybe because those are free and antivirus costs money. We recommend also installing an antivirus, we know that nothing is free or that everything that is not cheap is good, but we recommend minimum cybersecurity measures.

Moderator: Director, how safe are the IT systems of Romanian public institutions?

Daniel Ionita: Well, you should now that there is a joke in the field of cybersecurity: you’re only safe as long as you’re not a target. When you become a target, you are no longer safe.

It depends on what type of cyber threats we are referring to. We are talking about two layers of cybersecurity and malicious actions on the internet. There are the common ones, where someone scans on the internet, identifies resources which can be used and exploits them for, example, a botnet. I was reading a statistic the previous day that it is extremely cheap to order a “denial of service”-type attack, which is done with the help of a bot network.

It is extremely cheap because those who develop such network also sell them, ensuring those kinds of services, to “interrupt the target’s service”, they co-opt these bots into networks without the user being aware. And then, of course, they don’t pay a dime for this and that allows them to sell cheaper. This is a lower level of cyberattack complexity.

Unfortunately, it is the level which could be tackle with those minimum cybersecurity measures, but we don’t always manage to do it because we do not apply these measures. If you’re referring to this, it is quite simple to resolve. Installing these licensed operating systems I was talking about – and public institutions obviously work on such operating system, installing security patches as they appear – because if you install them one month after you received them through the license, you are vulnerable for the entire month, of course. So this is only a basic level, where issues can be solved. It only requires consistency in applying cybersecurity rules and policies, some financial resources for that equipment, which can resist these types of attacks and could signal cyberthreats.

The second level is when you are a target and you are not safe anymore. We are talking of a different type of threat here. They are most likely under the competency of another Romanian institution, which deals with them and keeps presenting these persistent and advanced threats in different formats, the “APTs” which cybersecurity experts refer to.

I would stay on the first level, which is under the competency of CERT, that of basic protection of the institutions’ computerized systems, not only governmental, we are a national CERT. We are approached by institutions from the academic, public or private medium, by citizens, young and old, who address us varying requests. Some of them we can solve technically, for other we don’t have any legal competency and we transfer them towards state institutions with legal responsibilities in that case.

But, to answer you: our system are sufficiently safe, but they sure can be even more safer.

Moderator: Are there help requests from the military sector?

Daniel Ionita: Cybernetic threats do not make any distinction. I remember a classification which was made, at that time, by the commander of the United States Cyber Command. He would also list these threats into three categories: exploitation, disruption and destruction (meaning those who steal data, those who affect services and those who destroy it). Exploiting information is made, regardless of the medium, in the same manner: military, electronic, industrial espionage, with electronic means which seeks extracting information.

What I’m telling you is a matter of principle. What they are actually facing, there is a structure within the Defense Ministry, CERTMIL, which deals with threats affecting the ministry’s informatic systems. It’s not in our competency, there are other structures which handle it.

But sure, we do have cooperation programs, we cooperate. If we have threats we know could affect their systems, we forward the information to them to take the necessary countermeasures.

Moderator: To end on a fairly warring note, and maybe for the benefit of an exercise in imagination, more or less: will wars in the near future – of course, we don’t want them – will they be dominantly a cyber affair and how much will the human factor control and intervene in them?

Daniel Ionita: In my opinion – I’m certainly not the most competent person to speak about this – the cyber component of any future conflict will obviously exist and is continuously on the rise. If we’re talking about cyber-capabilities, offensive capabilities in the cyberspace, effectively to strike, to stop services, if we’re talking about the destruction of certain infrastructure by tricking computerized systems – ten years have passed since we talk about the use of the first cyber weapon – if we’re talking about this component, it will certainly grow.

But, even if we’re talking about the fact that military systems, equipment have computerized systems which made them have better performance, it’s obvious that those systems which support battle equipment, for example, can be affected. To what extent? Well sufficiently to annihilate the kinetic force.

I think that, just as in previous times when there was talk about a conflict, there were talks about cutting diplomatic ties after which the conflict started with a massive air raid, the same thing will also happen now. But probably now, before the massive air strike – I don’t know if it’s still written in military books – maybe a cyberattack could be, who knows, one of the first steps of a conflict like this.

Thus, I think that no future conflict will take place without having a cyber component.

Moderator: Thank you, we’ll be expecting you again.

Daniel Ionita: Thank you, I will gladly answer your invitation at any time.