Z CCB – Centre for Cybersecurity Belgium

The Centre for Cybersecurity in Belgium (CCB) was established in August 2016 following the Government’s plan to be able to react upon Cybersecurity incidents with impact in Belgium. The centre was setup following a series of Cybersecurity strategy documents created during the last decade, by government, law enforcement and administration officials and independently by private industry and academia. During this period in time a series of priorities and challenges were posed towards the government to properly act towards the increasing cyber threats. Plans have existed to establish a centre of operations under the previous governments. A first attempt was made in the creation of an emergency response team (CERT), which was put under the operational coordination of the federal ICT agency. The CERT-activities and its resources have now been incorporated in the CCB.
The centre is still in the process of building expertise and experiences, trying to establish its role in the Belgian federal administration. As part of the Prime Minister’s office, they have been able to position themselves in the role of a coordinator, at least within the public government. Collaboration in the field is limited to operational incident activities through the public CERT.
The CCB is today more internally oriented – within the public administration, but shows clear intentions in reaching out beyond - towards industry, and more in an international basis. It is still lacking resources in terms of people, in order to cover all anticipated activities. The increasing cyber security challenges laid down by the European Commission, will further increase the level of interactions needed. Having a coordination center per country, at least coordinating the various government departments and institutions (including in Belgium the communities and local administration) is very relevant. The CCB is in relation with some private activities, and somewhat effective in interacting with private initiatives, but lacking a continuous interaction with private expertise and lacking a long term view on inclusiveness of a joint strategy against cyber challenges. The CBB is somewhat effective in its actions to for instance awareness creation, but many of these actions are a tiny drop on a hot plate, and lack impact on a national level. Having the coordination centre, at least has a positive impact on the overall state of emergency sometimes caused by cyber criminals on governmental and state level. The implementation of directives, regulations and policy making are lacking sufficient interactions with the various stakeholders. The CCB as part of the government activities is somewhat sustainable, but will likely be played around following new governments in operations. A stronger institutionalized CCB similar to the French ANSSI or German BSI, also with policy making and administrative powers, providing at least temporary regulations, might reduce some of the inefficiencies following current regulations (such as GDPR, NIS, PSD2, …). The centre is somewhat inclusive, as it participates due to limited resources, being selective in activities in the market, but is strictly limiting interventions and interactions with the industry. There are no institutionalized platforms for interactions.

The Centre for Cybersecurity Belgium is the central authority for cybersecurity in Belgium. 1. draft a national Cyber Security policy and 2 encourage all relevant Belgian governments departments to make an adequate and integrated contribution. 3 take over the management of the Computer Emergency Response Team (CERT) for the purpose of carrying out activities relating to the detection, observation and analysis of online security problems as well for providing continuous information related thereto to users. Mission : monitoring, coordinating and supervising the implementation of Belgian policy on the subject;
managing various projects on the topic of cybersecurity using an integrated and centralized approach; ensuring coordination between the relevant government departments and governments, as well as the public authorities and the private or scientific sectors; proposals aimed at adapting the regulatory framework in the field of cybersecurity; crisis management in case of cyber incidents in cooperation with the government's Coordination and Crisis Centre; preparing, disseminating and supervising the implementation of standards, guidelines and security standards for the various information systems of the governments and public institutions; coordinating the Belgian representation in international cybersecurity forums, coordinating the monitoring of international commitments and national proposals on this subject; coordinating the security evaluation and certification information and communication systems; informing and raising awareness among users on information and communication systems. Cyber Emergency Plan. Awareness.

After Start, there will be a consolidation stage and should be reaching its maturity after five years. However, with the intention to make it a permanent activity, the activities being linked to the Prime Minister might results in a reorientation upon a next government (after those five years).

This practice has been applied in a similar manner in other Member States, but in this case was developed from the ground up (whereas in other member states existing instances were created). It has been tailored to the needs and nature of Belgium specifically also taking into consideration the limited powers of the Federal government in favour of the regional governments. Every country or region interested in applying this practice will build a coordination practices on top of existing activities, and build on existing expertise to further improve it. Additional functionalities and activities can be added on the basis of requirements. It needs the empowerment of the Prime Minister or head of a specific region to be applicable.

Parliamentary questions and regular reporting are amongst the periodic reporting of the evaluation of the activities. Its results can be debated in Parliament and can be executed through the Prime Minister.

a) International cooperation through CERT.be the national CERT, there has already been an operational collaboration with other CERT operations of Member States, and others (academic and private CERTs and CSIRTs). There is a collaboration through ENISA on international simulation activities.
b) cooperation at the national level since the centre is the coordination centre, at least on Federal level, there is a collaboration between the different government departments involved. There are also levels of cooperation with the regional governments (communities). A cooperation with multiple agencies (privacy, anti-terrorism, ….) and with justice (prosecutors) exists as well, but not transparent up to what level.
c) cooperation with front-line practitioners for specific cases exists, and there is an exchange in some private platforms such as the Cybersecurity Coalition, LSEC, Febelfin and others.
d) Other methods of cooperation include reporting platform though citizen’s hotline at the national level, specifically for phising (for citizen), and the incident response for companies and organisations.

? Prime Minister
? Ministry of Interior
? National Coordinator for Security and Counterterrorism
? National Intelligence
? Ministry of Justice
? Ministry of Economic Affairs
? Federal ICT agencies
? Federal Computer Crime Unit
? CERT.be
? Private and independent CERT and CSIRTs
? ENISA (European Agency for Network and Information Security)
? Sector Federations

1.235.000 € in 2016

Centrum voor Cybersecurity Belgium, jaarverslag 2015, Belgium. Centre for Cybersecurity Belgium. Brussels
Securing Cyberspace, Cyber Security Strategy .be, 2012, Belgium Belgian Federal Government. Brussels

Parliamentary Questions and Answers https://goo.gl/SsqCrK
Annual report 2015 https://goo.gl/WLmMQX
Belgian Cyber Security Strategy : https://goo.gl/Ttvvrk

A central cyber command during an incident is more than relevant as in many cases the incidents are complex in nature, expertise is hard to find and scattered amongst different entities and a central point of contact can coordinate different actions and act as a spokesperson.
Coordinating cyber incidents aimed at the state level, with the impact of the government powers, will be able to direct various government departments, but as needed also police forces, justice and defense (military) powers, in order to properly act, react and follow-up on cybersecurity activities.
Being the central coordination team, on the basis of acquired and further educated experts within its team, further actions and activities can be developed to increase the capacity going forward.
This answers mainly to the scarcity of expert resources, by centralizing them.

Its effectiveness is limited to the availability and priorities of the team itself, and its political mandate or its political steering board. It can operate relatively independent, but will focus on activities linked to the overall governmental approach, rather than building out a wider strategy and relating to the actions in the market.
Building on top of existing expertise available in the country, both through commercial, research and governmental institutions might further increase the coordination activities. These should be supported by technological means, and guided by the setup and organization of regular coordination activities towards local levels
The organisation won’t be able to defend against major cyber-attacks, won’t be able to prevent major cybercrime and won’t be able to immediately respond appropriately. It has to rely upon other entities in order to be able to do that.

The activities as coordination entity are limited to the personnel involved mainly, with limited infrastructure costs. Additionally, infrastructure was gained. Some of this infrastructure could also be hosted and managed by commercial actors, likely in a more effective way.
Some of the actions taken, will be outsourced in order to focus on the core functionalities of the entity, the coordination. Additional work can be done to further ensure direct actions from the government departments participating.
Some actions should be instrumented by the market directly, as they could become interfering with the commercial market operations.

A central coordination team for government to act on cyber incidents, that have happened in between. A spokesperson to explain cyber incidents to the public during incidents (such as the ransomware attacks). A central point of contact for international activities such as the annual European cyber security simulation training, or for international regulations under development (such as NIS and GDPR initiatives).

The centre will be able to operate under the Prime Minister of the current government, as it is part of the governmental program. Beyond this period or five years from 2015 onwards, the CCB will likely continue to exist. This will be depending on the potential of major cyber threats and its capabilities to react to them, to the political changes and developments, potential budget implications and changes in perspectives on European and Member State level. Some activities going forward could be considered sovereignty of the state, some taken up by Security Services and some taken up by Intelligence Services and considered Security of the State. Some other activities will be considered mainly from a military perspective, and can start falling under Defence.

There have been multiple reach outs to the private sector under the concept of the Cybersecurity Coalition, an initiative of some of the larger enterprise end users and national alliance of large companies. There are some activities where mutual experiences can be shared.
There is only limited interaction with the expertise available amongst both research facilities and experts from commercial institutions, companies providing cyber security services and technologies.
There is only limited interaction on a European level, even while there is somewhat interaction with ENISA and ECSO, there is no impact on international standard developments or interactions with other member states and actors on cooperation.