A secure democratic Net is a fundamental right

We can announce that in the coming months a real CERT will be established in Belgium for the whole of Belgium. It will be built upon the existing knowledge and experience from Belnet (who already operates a CERT for its own FGOV network) and upon the legal authority of BIPT. Do not send in your CV's just yet, the job offerings will be published in the coming weeks.

First I am happy that finally after a campaign that started with http://ekz.skynetblogs.be since 2004, the battle around the New Belgian Telecom Law, The Belgian Inquirer and than the Belgian security bloggers (of which Belsec is part) and the hearings in the parliament the CERT will finally be established. This is important because for the moment nobody was responsable for the Belgian National IT-infrastructure.

The practical consequence was that international malwaregroups and securityfirms couldn't give their information about insecurity on the Belgian networks or infrastructure to anyone because they were hindered by their NDA's and so. They needed a national CERT but as Belnet was only responsable for Belnet and not for the whole of Belgium it was a bit difficult. And as the FCCU was only for legal complaints, they couldn't do anything with that information either. Luckily for Belgium Arbor Networks decided to give us (and the FCCU) access to their information about fastflux botnets so that we could contact FCCU and DNS.Be to take immediate action (a week later).

The national consequence was that there was no-one that could contact the insecure or hacked server or website to mention the problem and to try to have it downed or secured. We publish here this information about infected and hacked .be websites, but most of them don't care a bit so some of them stay that way for weeks or months to come. Maybe untill the moment they see in a Google search that they are indexed as being hacked or insecure. Contacting by  Whois the owners or operators of these sites was not only time-consuming it was also a very dangerous thing because those paranoids sometimes thought that you were responsable. They should better have been paranoid about their security. You also didn't receive any thanks. So I have other things to do than to spend my time with people like that. It is published and if they are interested they will see it.

So now there is a CERT. We shouldn't put our hopes too high from the beginning because they will have a lot of work to do and they can't do it all from the beginning. But if I were them. I would do the theoretical and infrastructure work and the communication and things like that. But I would also set very clear goals. Every day we have to bring down at least x hacked sites, x phished sites, x botnets and so on. If you do that every day, you will have very impressive numbers after a few months and you will see that the number of infections and security problems will diminish because they will know that every day x number of their compromised sites will be brought down. I would also concentrate on the most important and massive infectors first. A botnet command and control center should not be listed on Arbor Networks for months. It should be brought down from day one it is found. A site that has been used for phishing 3 times a month should be asked to review its security because it will be hacked a fourth time.

When we have a CERT than the battle for the responsable disclosure can begin because under the Belgian Cybercriminality law you can be charged in a very easy way just for wanting to be responsable. A whole other series of laws will also be necessary here (breach disclosure for example) and a series of debates about how to protect the mobile networks from the new attacks that will arrive. But we needed a CERT first because where would you go with your 'responsable disclosure' information without disclosing yourself ?

I will also have to think about what I will do with all that around here now that the CERT exists. Because we have built here a security dashboard, a collection of 1000 feeds and some exclusive monitoring. If the CERT does all that (which I hope) than I can do some more other things (I hear a big yes and a long list at home :) )

We only did this because there was no CERT.

We should also thank representative Roel Deseyn for his unrelentless interest and lobbying for this. He is the only politician so far that really has shown a clear interest in the matters of esecurity and privacy and has continued to push for new laws and means to act upon them.

And let us rejoy, the CERT is here to come and stay.