CERT-RO is one of the institutions responsible with cyber security in Romania. How does a major cyber-attack look like from CERT-RO’s perspective?

We have recently had the opportunity to observe such a situation with WannaCry. We saw how things can become confusing when everyone starts commenting on the subject and those comments get presented as facts. This was one setback we had during the response. However, there were many parties that understood that CERT-RO is the certified institution to inform and update the media and the public on the impact, evolution and mitigation measures in the event of a cyber attack.  We were in direct communication with our international partners, sending and receiving constant updates. We also had to process requests for clarification from private and public entities on how to protect themselves, but also questions from the media. The latter were especially helpful for debunking myths and commentaries that were inaccurate or simply wrong.

All in all, it was a significant effort both technically and from a communication perspective.

Do the organizations (companies included) understand what is a cyber threat or a cyber-attack or other cyber incidents?

I’d start by highlighting a misconception. Everyone thinks that security is about countering cyber-attacks, but security starts a lot earlier. The way that companies build information systems and how well these systems are built to protect from and respond to incidents matters. Also, the procedures that companies have in place for prevention and reaction and how well the employees are trained to act on them matters a great deal. Of course, technology has an important role too but not on its own.

Therefore, the level of understating of cybersecurity is currently determined by the level of skilled workforce an organization has in order to design their business processes having a cyber security perspective in mind. Security by design is not just a concept or a nice catch phrase. It is a necessity all organizations should consider.

Is there a difference between the public and private sector when it comes to protecting cyberspace?

I would say yes. To a certain degree, central institutions are aware of the risks and the consequences they face, but have limited resources. On the private side there are some companies that are willing and have invested in security, while others, although they have the resources to protect themselves, have a less rigorous approach on risk assessment and don’t act on cyber security. However, there is more to be done in order to raise awareness in both sectors.

What are the main reasons behind a cyber-attack?

There are a few well defined categories of attackers. First, there are cyber criminals and their main driver is financial gain. These attackers target financial data, payment systems, private data, medical records and other information that can be monetized. Then there are hacktivists, who target state or commercial secrets and personal information about decision-makers with the purpose of influencing political decisions or social changes. Another threat comes in the form of cyber espionage and state-sponsored attacks that target critical infrastructure, intellectual property and state secrets with the purpose of gaining economic, political or military advantages. Last but not least, a category often ignored by the media is the inside threat. Employees or members of organizations target intellectual property, personal data or state secrets either for personal gain or for revenge.

What do you think that organizations should do to ensure their own cyber-security?

There are different approaches, depending on each institution. What matters most is having a correct and realistic risk assessment in place that takes into consideration intellectual property and data collected from employees and clients or beneficiaries outside the organization.

Do you have some statistics about cyber-attacks and vulnerabilities?

Of course, CERT-RO publishes an annual report based on the data gathered through its Early Alert System. These data consists of alerts from various national and international sources (other CERT structures, private partners, etc) and are gathered in a database regarding cyber security incidents. Last year we have processed over 110 million alerts that were grouped in 4 million incidents. These incidents affected 2.9 million IPs, or roughly 38% of the Romanian cyberspace. Most of them (60%) are vulnerabilities and roughly 40% are botnet. Last but not least, we estimate that 59% of the IT systems in Romania are vulnerable.