BSides Sofia 2023 - Keynote

Good morning, my name is Petar Kirkov, National Coordinator of Cybersecurity. As Key Non Speaker of the Cybersecurity Technical Conference, I chose to talk to you about regulations. And for good morning, of course. Now we will see who drank coffee. And yes, great. The reason why I chose this topic and the reason why we should separate the next minutes for regulation is because regulations are something that happens in the background of your daily work. In the background of all the things you do every day, all the problems you encounter, regulations are the tectonic movement that sets the direction. Very slowly, yes, on a very deep level, but these are the things that happen. I would like to talk a little about the last package of regulations of the European Union, which are gradually coming in and out. These are things that are happening at the moment, some of them have not been implemented yet. The first thing is the so-called Cyber Security Act, which actually talks about certification, which was implemented in 2019. In 2021, the Act was adopted, which actually forms the European Competence Center for Cybersecurity, which is engaged in financing. On December 14, the NIS-2 Directive was adopted, Network and Information Security, which Mr. Maznev already mentioned. And at the moment we are working on the Cyber Resilience Act, which deals with products. These are the last package of documents, not the four regulations that are related to cybersecurity, but the story started a little before that. In fact, in GDPR, the first law talks about data, yes, personal data, but still data and data protection. Then, little by little, Such regulations, such laws and in fact from the point of view of IT regulations, in cyber security, the European Union is extremely advanced and extremely innovative. To the extent that other countries are more than enough to pass on from us. So, yes, we are currently here, December 14, transposition is in progress, that is, this thing is in progress, we are going to introduce it into our legislation, which will most likely be with a new cyber security law, a new order for minimum requirements and so on. But one by one. The cyber security act actually talks about certification and why this certification is important. Because, and I will answer the question why you haven't heard it yet, although it's 2019. Because this certification actually builds trust. Certification is a way for us to have trust in a given product, a given service, a given human skill. Because someone has checked them and this is something that has happened in a very transparent, very clear, very repetitive method. And in fact, we can count on it. The scheme is slightly specific because the European Cybersecurity Agency, NISA, actually develops the schemes. The schemes that are used to do these certifications. This is, I have a laser, I have a laser. These are the things up there, where the scheme is actually a process of assessment, the requirements for assessment and so on. Below that we have the National Cybersecurity Agency, the Ministry of Electronic Management, the Bulgarian Accreditation Service, which actually accredits and controls the agency for the assessment of the compliance. Most of you would have said the certifier, not a technically correct term. If I were here, my colleagues from BASA would have beat me up. Which actually proves that a given product, a given service or given skills correspond to the required requirements. Currently, there are three certification schemes that are relatively close to introduction. One is for cloud services security. We have a scheme for products, which is based on common criteria. And the third is a little further away, so I prefer not to mention it. But you will see in a moment how all these four acts are interconnected. And the goal is to build a common cyber security system in Europe. All these projects, all these initiatives, all these things will have to happen without money. Whatever it is, it's a question of budget. And the European Cyber Security Competence Center, or ECCC as we call it, It was created with regulations from 2021. The idea is to manage both Digital Europe and Horizon Europe programs, because in fact, financing in the old way, in the traditional European way, in the field of cybersecurity is extremely ineffective. The moment we have to set up a cybersecurity project, which will be financed in five years, it is hopelessly outdated when these five years come. That's why the Center was created to work with national competence centers in the countries, to form communities, communities like the ones that are people who are engaged in cybersecurity, so that they can help the community to participate in international projects. As you know, a large part of the projects on Horizon are international, at least three or four member states participate at different levels. and to create projects that are necessary for financing, that is, to create programs to finance projects. This center, as I told you, these things are literally in motion at the moment. This center is still not operational independent, it is still led by the Commission. Yesterday we had a meeting of the Board of Directors. We expect it to become independent at the end of this year. At least that's the plan, to start working independently, not with the Patraevs' commission. NIS 2. Actually, what most people don't realize is that the previous NIS directive was adopted during the Bulgarian presidency and we have a very serious participation in it being adopted in the end. And again, this is one of the most innovative regulations in the world, which is related to the information security network. It results in the Bulgarian law, in the order of the minimum requirements. And here it continues with innovation and the introduction of new things. There are over 20 terms that fit into the text itself. Far more holistic approach, that is, from network information security we are already moving to cyber security, to a holistic approach to the protection of information, systems, etc. There are the same criteria for operators, that is, those who fall into the trap have the same criteria as what is necessary to note that there is already a size cap. That is, the small ones are not regulated. When you are a small one, you do not fall into the regulations. And let's say this is one of the things that is extremely difficult when making regulations. Because every word in the regulations means expenses for an organization. And it is very important for these words to be chosen carefully. That's why the regulations take so long and that's why it happens so slowly. So that they can carry good, and not kill the whole business sector or the whole class of organizations. So, at the moment we have SciScape, a force of interest for the addition of incidents. If I have time, I will tell you about it, what is the point that the addition of incidents is actually part of the immune system for the cybersecurity of Europe. A network called Cyclone is being created, which is a network for reporting incidents that can be used as a political answer to the European Union. We can use a mechanism to help the European Union in a faster way than the standard IPCR mechanism. For the simple reason that cyber incidents are moving much faster than the usual incidents. I think as long as there is a term for an incident. As well as the network of the so-called CISIRT network, the network of churches as it is known in Bulgaria. The requirements are met and what is most striking is that the globes and the top model of GDPR are met. In the text it was mentioned for 7 and 10 million euros. Because it was seen that in GDPR globes are a motivating factor for saving. The sectors are expanding, there are already 17, the divisions are critical and important. As you can see, quite wide sectors have been added from the production group with focus on food and chemicals. The digital services are quite expanded. The management of services is added to IT. And to show you the way of thinking of legislators, I want to draw your attention to something. You see the summer there, scientific research. This was one of the points we argued a lot about last year. Because the scientific research, research and development, this is usually universities. Usually in such an environment, most of you know, cyber security, especially the enforcement of requirements, regulations, is something that is quite difficult. But in fact, the European Commission refused to omit this text, refused to consider it. We changed it a little. Before that, it was a little wider. Why? Because through innovations we create value in the economies. Not only in ours, but also in the economies of the European Union. And this is the way we protect what we produce. The main engine of innovations, the main engine of economic development. So this is the level of thinking at this level. Cyber resilience act, as I said, actually talks about products. The idea is that we start talking about cybersecurity during the entire life cycle of products. Like all products, we put them in a competitive framework of requirements. We have to simplify the requirements. Now I will show you how these requirements fit into requirements that are already on the market. and we need to increase the transparency of the products. This allows people like you and me, end users of organizations, to use the products in a predictable way. When you go to buy a phone, you need to be informed about how many years this phone will have updates, how many years it will be supported by the provider, which will most likely be linked to the price. on this rather hard graphic. I'm sorry for... It could be better. But actually I'm trying to communicate how We have this cyber-resilience act, which by the way is not yet accepted, that is, these things are still in the process of negotiations. But how do things look? In fact, everything that is black and gray is from previous regulations. The whole thing revolves around CE marking. And here we introduce something called a product with a digital element. That is, all these smart things, all your smart watches, all the phones, most likely projectors, cameras, in general anything that has a processor, attack surfaces, can be compromised. In fact, we are already starting to have requirements for it, we are starting to have requirements for documentation. Most of these products are critical, so-called class 1 or class 2. For example, here we are talking about password managers, operating systems, specialized firewalls, Things that are at the core of cyber security, to which there are specific requirements. And here, for example, the legislator says that this thing either has to be certified voluntarily, here is the connection with that regulation from 2019, or it has to go through independent review. Most of the products actually go through what is called self-assessment. In the production process, the manufacturer says "Yes, I am in line with the requirements you have given, I declare it, it can be checked at some point". In the same way, the standard C marking is done, so there is no lead in the paint and so on. But for some of the things we are already starting to introduce requirements that are much more serious so that we can, when we use some products, when they enter the economy of Bulgaria and Europe as such, they are safe, we have protection and we can react and manage these things. There is also a requirement for the addition, for managing the vulnerabilities and so on. And the last thing I want to mention is not exactly regulation, but this is a development by ENISA ECSF, that is Cyber Security Skills Framework, which at this moment represents a description of 12 profiles which has the typical roles, skills, competence and experience. This is the first step in structuring the conversation around the same terms. This is the first step in introducing a European certification of cyber skills. Based on these profiles, the work continues. In fact, more and more information is collected from each of these profiles and at some point they will be developed as certification schemes, again according to the regulations I mentioned at the beginning. Do you see how all these things are actually elements of the same model, with which we aim to protect all aspects in general? in the economic development. This is actually relatively new. It was accepted last year. The courses of training that are even in the universities are starting to be structured around these profiles. In fact, the difference is not that big. No one has discovered the warm water. I know the text is small, but most of these profiles are well known to you. For example, forensic investigator. And this actually means that all of those squares on the previous slide are actually different roles in which different people in cybersecurity work. Please don't leave, I'm stopping. I won't talk about regulations anymore. So, only two of you until this moment, we are great, we are ending, I promise. So, actually we have a terrible need from people. And that of people who are capable, qualified and knowledgeable This framework is trying to build the structure in which there is a targeted effort towards the development of these people, towards the development of you as specialists, towards the development of the competencies at the state level, as well as at the European level. Now, not only regulations, not to get you bored, some interesting things. Last year we redesigned the entire platform of the National Team for the Reaction to Computer-Awareness Incidents, or so-called CRBG. At the moment the platform is significantly open, we have a lot more apps, so we are currently working to integrate a lot more technologies to happen automatically. Together with the National Coordination Centre we are working on building communication platforms around these communities, because they actually need to talk to each other. We are working on building sector teams for responding to computer-based incidents, which we currently have six, at some point there will be seventeen sectors, so it's even more fun. On a European level, as in Bulgaria, the development of the national juice centers continues, which are quite specific. This is not the typical juice that you might have to take on a given day. On February 15, a pilot funding call was closed for transnational juices, which is a completely different animal. For the first time in the world, we are starting to talk about a security operations center that is above the state level. Where most of the problems are not so technological. That is, how, by what interface, in what format. In fact, most of the problems are purely legal. How do we share this information? What information do we share? Where do we share it? Because this is something that should happen quickly, as close as possible to real time. But in fact, We also need to protect our national interests, because we are not one country, but 28 different countries. So this project is quite interesting to see where it will develop, but we expect that in a few years we will have network transnational sources that will help us exchange information about cyber attacks and cyber incidents as quickly as possible. This is the immune system of Europe, which I mentioned a while ago. Even if there is a specific cyber attack in one point in Europe, in some sector, somewhere, the information about this attack can be distributed quickly enough, with enough data, so that the rest of Europe can protect itself. And in this way we can react and with the insurance, because you know that the time for the incident to take place is directly related to the damage of that incident. And in fact, in connection with what I mentioned to you a little while ago, the creation of the National Cybersecurity Team was supported. Fortunately, at the end volunteers appeared who were brave enough to catch this thing and to lift it from the ground, because believe me, this is not an easy task at all. At the moment the first qualifications are being held, which I thank them again. There are expected to be at least one more qualification during the year. This team will represent Bulgaria in the European, that is, organized by ENISA, EOS Cyber Security Challenge. This year it will be held in Norway. And believe me, the level is extremely high. But in this way our goal is to create a group of 20 people, because it's a main team, with reserve players and so on. Our goal is to create a group of 20 people who are rock stars in this area. And actually through these people we increase the popularity of the profession, we increase the interest, because this is de facto a sports team. And in this way, I hope that in two years this room will not be enough for us to gather the people who, despite the early part, will be involved in this event. Thank you. I think I have spent a lot of time, but I will be here if you have questions. Thank you.