We are very pleased to present a very useful interview for all internet and information technology users. Because in the next material you will find a lot of practical things that will help you to be more secure in the virtual environment. Mihai Rotariu, spokesman for the National Directorate of Cyber Security, provides our readers with vital information about ensuring optimal cybersecurity for all types of users, so this interview is not for specialists, but especially for the general public, because we already live in a digital age, where technology should help to streamline business, not to scare.
Please tell us a few words about the National Cyber Security Directorate (DNSC). When was it established? What is the role of DNSC? Is DNSC an institution dedicated to the general public?
The board addresses the general public, or rather the common user. Any cyber security incident can be reported to us, either by e-mail (firstname.lastname@example.org) or even to call centers, by calling the 1911 emergency number. At the same time, we have an extremely active and interactive community on social media, which helps us to quickly disseminate awareness information, but also notifies us quite often about new threats that have appeared online. Cyber security is a shared responsibility, and cooperation is essential in limiting the impact of online crime.
Getting back to the point regarding the birth certificate of the institution, the date that we can mark in the calendar is September 22, 2021, when the Government approved Emergency Ordinance 104 on the establishment of the National Directorate of Cyber Security (DNSC). Ordinance 104 was published in the Official Gazette of September 24, 2021, and on January 7, 2022, the President of Romania signed the Decree on the promulgation of the Law for the approval of the Government Emergency Ordinance no. 104/2021 on the establishment of the National Directorate of Cyber Security (PL-x 380 / 27.09.2021).
In practice, the establishment of the National Cyber Security Directorate (DNSC) was a necessary act that involved the abolition of the National Cyber Security Incident Response Center (CERT-RO), an institution that had just turned ten years old and had reached full maturity, and the launch of a new, modern cyber institution capable of meeting international requirements. Of course, the duties and staff of CERT-RO were subsequently taken over by DNSC, with extensive activities and responsibilities, at the level of the most advanced organizations in the field at the international level.
What are the medium and long term goals of this institution?
As in any industry, to evolve sometimes requires a new perspective, corresponding to the requirements of the field. And here we are talking about the cyber sector, where developments are fast and sometimes spectacular. Basically, what was standard ten years ago is not enough.
The establishment of the DNSC was a strategic project for Romania, to which a number of 20 key institutions involved in this initiative contributed. The project received strong support from the Prime Minister, the Romanian Government and the CSAT. Therefore, we are talking about a world-class civilian institution and a key player in implementing the national cyber security strategy. Moreover, one of our long-term goals is to firmly position Romania as a recognized leader in cybersecurity.
We want to become an attractive institution for the new generation of talents in the cyber area, but also for the ladies who work in this profession, with a culture and determination of civil leader of cyber security in Romania, mentality specific to competent authority, to have the necessary resources to attract top specialists from the private sector or to keep the competent people who have left.
The Directorate will also maintain the role of cyber security incident response team, a single point of contact at European level, and will continue to represent Romania at the international level in the field of cyber security. It will also have a strategic role for the elaboration and implementation of the strategy and public policies, for the creation of a national framework for collaboration, cooperation, education, training and awareness in the field of cyber security in Romania.
The DNSC will be a strategic promoter of the national interest in increasing the rate of absorption of European funds allocated to the field of cyber security and as a guide for the active participation of public and private entities in major funding programs. Last but not least, we want to become a promoter of cybersecurity education and awareness programs, because at the moment, unfortunately, Romania is on the last places in the European rankings that measure the national level of training in terms of digital and cyber security education.
With the Covid-19 pandemic, many activities could be brought online, resulting in an increase in activity in the virtual environment, and increased the dangers that come with exposure in this area. What do people need to pay attention to when they start their business online for the first time or who are substantially growing their business in this environment?
There are a number of actions that must be checked when migrating your business online. First of all, you need to have a risk management plan in place to ensure business continuity in the event of an attack. This plan will have to evolve in parallel with recent technological changes and threats.
In addition, a secure configuration of the equipment used and the network is required. In this regard, it is important to develop a clear security strategy to remove or disable unnecessary functionality from systems and to quickly fix known vulnerabilities.
Recent years have shown us that the new work trend is seriously migrating to work from home. If you have employees who work remotely, you will need to develop clear work procedures for securing the data and equipment used. Moreover, absolutely all employees must benefit from frequent basic security training, in order to keep them informed about the latest threats, which generally target companies and organizations. Only in this way can they recognize methods of attack and protect both themselves and the company for which they work from possible damage.
Last but not least, monitoring is important, whether we are talking about the company’s networks, systems or services, or the access privileges granted to employees. Carefully analyze the activities carried out within the organization and provide access according to the need to know the information.
The same attention should be paid to the equipment outside the company, to the personal devices of the employees, in particular to external environments which could be a real danger to the security of the network. In this case, you will need to develop and implement policies and solutions to control and minimize the use of external storage media. In addition, you will need to make sure that all staff are aware of these policies.
These are just some of the goal setting shareware that you can use to secure your online business. At the same time, many such organizations are already subject to laws requiring minimum information security measures, including the obligation to conduct security audits (GDPR, NIS Directive). Therefore, those companies that fall into the sectors of activity delimited by the legislation in force will have to be subject to extensive security measures. For more details and advice in this regard, I invite you to contact the National Authority for Network and Information Systems Security within DNSC.
With the growth of online businesses, e-commerce has also increased the demand for labor in this area (IT, cybersecurity, etc.). Does Romania still have resources? I mean, do we have specialists who can ensure the needs of companies in this direction in the short term? Does the new law on “digital nomads” (Law on amending and supplementing the Government Emergency Ordinance no. 194/2002 on the regime of aliens in Romania) help in any way?
There is a serious shortage of cyber security specialists not only in Romania, but worldwide. Any action that could help cover this deficit is welcome. As I mentioned earlier, we need to focus more on educating the new generations, we need to seriously increase the level of training, and cybersecurity needs to become a subject taught from an early age. At the moment, I believe that the content of the education system curriculum is insufficient for the real needs determined by this digital age.
Romania is the 6th country in the world in terms of the number of specialists who graduated from the IT faculties in the country, but paradoxically it has a deficit of over 15,400 IT specialists (and a deficit of 2,200 cyber security specialists). Over 43,000 IT specialists have left Romania to work abroad, and another 6,100 work online in the country but exclusively for companies abroad (mostly as freelancers).
Unfortunately, Romania is a country of contrasts when it comes to cybersecurity specialists. We have highly regarded specialists in the field internationally or for generations of talented young people who are targeted by the most important companies in the field. To give just one example, in 2019 the Romanian cybersecurity team won the European Cyber Security Championship, an edition organized in Bucharest. We have talented young people who are passionate about IT and I am glad that every year we see new and new initiatives to improve these talents, whether it is CTF type competitions at national level, or even programming clubs for young people.
However, we are not currently able to maintain these future cyber security specialists locally. The acute need for digitization, and especially the competition in the labor market, for IT specialists, make the demand seriously exceed the existing supply. We need more IT experts in cybersecurity if we want to have a secure and functional digital economy. The education system is, from my point of view, the ideal environment that can contribute directly and decisively to be able to gradually cover this lack of specialists.
What are the main dangers that the National Directorate of Cyber Security has set out to combat with its establishment? What are the main vulnerabilities that DNSC has identified so far and what do you advise us to do to identify and combat them?
I believe that ensuring optimal cybersecurity for all types of users is mainly about cybersecurity awareness and education, not about certain dangers. We need to increase the level of preparedness, first of all, because annual reports often show two big problems – regular users easily fall into the trap of some simple attacks (scam, phishing), and another major problem for organizations this time, it is the lack of a culture of security. Many of the reported incidents are caused by a faulty, improper configuration of the equipment or devices, or a failure to update the software in a timely manner.
Therefore, in order to become more confident, we need to be more informed, but also interested in this field. We need to make cyber security digestible for the general public, because we are already living in a digital age, in which technology should help streamline business, not scare. That is why we are still naive when we work online and are not aware of the obvious dangers.
Personally, the first piece of advice I can give to those who work online is to be vigilant and patient. It is very important to focus on what we do online, especially when dealing with sensitive data, whether it’s personal, authentic or financial data. It always has a value on the black market, and attackers do not discriminate when choosing their targets. Anyone can be a victim, so it is absolutely vital that we gradually establish a cybersecurity routine that we activate frequently, to which we add an important component of security hygiene.
For example, this routine should include automatic software updates on all devices, frequent back-up of sensitive data, and an external storage medium that we do not keep connected to the original data source, using a solid password manager and a two-step authentication system, etc. Of course, there are many such recurring actions that we should not neglect if we want to be safe when we work on the Internet.
In short, we need to get used to or form a series of security reflexes similar to those in real life. When we leave home, we lock the door with a single key, one that cannot open other doors. We also need to manage passwords, for example. We must have a unique password for each account. Moreover, when we cross the street, we make sure in both directions before crossing, so that we are not injured by any car. Why don’t we do this with the links we receive from all kinds of sources ?! Before we click, we can check that link with an existing security solution on your device or one available for free online. We need to analyze, think logically before taking any action that may prove harmful to us, our data or our devices.