Bangladesh to Launch CERT-FinSecurity Practitioners Share Their Expectations for the New Effort
To help prevent cyberattacks, Bangladesh is likely to launch a computer emergency response team, or CERT, for its financial sector this year, says Debdulal Roy, executive director of Bangladesh Bank. But the timing will depend on how long the COVID-19 crisis continues.
The nation already has BGD e-Gov CIRT [Bangladesh Government's Computer Incident Response Team], which comes under the Digital Security Agency of Bangladesh Government.
"CERT-Fin will exclusively concentrate on the financial industry for emergency security and take immediate measures for remedy after any cyberattack," Roy says. "It will also monitor and provide necessary support or advisories to help prevent probable and imminent cyberattacks as well as exchange information between all connected financial institutions."
The big challenge, some security practitioners says, is to work out a realistic framework for CERT-Fin's activities and carefully define its role in ensuring better security for the financial sector.
"While on paper it looks fine, there have been a few agencies in the past in Bangladesh and they haven't been very much active. That has to change," says Shahee Mirza, head of security operations at Beetles Cyber Security, a company that offers application and network security.
Why the Need?
Currently, Bangladesh Government's Computer Incident Response Team handles cybersecurity for all critical infrastructure. And there's a lack of skilled resources for the banking industry, says Tawhidur Rahman, head, digital security and diplomacy at BGD e-GOV CIRT.
"Moreover, we take care of the national critical cyber sensor network and conduct cyber awareness training for all government infrastructure. It becomes a little too much for a small team of BGD e-GOV CIRT to handle everything," Rahman says.
In addition to CERT-Fin, the government plans to establish other CERTs for various sectors.
"The plan is to have a CERT each for the chemical sector; commercial facilities sector; communications sector; critical manufacturing sector; emergency services sector; food and agriculture sector; healthcare and public health sector; nuclear reactors; materials and waste sector; transportation systems sector; and water and wastewater systems sector," Rahman says.
CERT-Fin will report to BGD e-gov CIRT and the Digital Security Agency at the national level, in accordance with the Information Technology Act and rules.
"CERT-Fin will have an advisory board, which will be headed by BGD e-gov CIRT and DSA," Rahman says. "The Ministry of Finance will review performance and recommendations and decide on allocation of resources. It has also been recommended that each financial-sector regulator will have a separate entity that will provide information in real time to CERT-Fin."
That means, for example, that eventually, the nation will establish CERTs for banks and for nonbanking institutions that will report into CERT-Fin, Rahman adds.
The new CERT-Fin faces some major tasks, including building a threat intelligence platform and spelling out security standards.
"It is vital that CERT-Fin build its own cyber threat intelligence based on the collection of intelligence using different external sources," Mirza says. "It should look at analyzing these trends that will help in technical developments in cyber areas. This will go a long way in improving cybersecurity awareness and the culture of banking and other financial customers."
Some security practitioners are calling for CERT-Fin to devise a third-party risk framework because most financial institutions are heavily dependent on third-party solutions. Some also want CERT-Fin to be an independent entity with stakeholders from the government, central bank, law enforcing agencies, law ministry and all banks and financial institutions.
"The CERT-Fin must include researchers, which will allow a new generation to research and work there. It will ultimately build up the workforce," says Prabeer Sarkar, CEO and founder, Dhaka Distributions, a cybersecurity company based in Dhaka.
"I would also emphasize knowledge sharing. The community needs to be aware collectively of various cybersecurity risks. The CERT can be a strong knowledge base and share point. Web application security, device security and secure protocols need to be implemented to ensure protection of financial transactions."
Also, there needs to be a platform for intelligence sharing, Sarkar adds. "Right now there's no platform available for intelligence sharing in the sector, especially in case of breaches."
For instance, when a payment card breach happened recently, there was no effective way to share critical indicators of compromise with other companies in the financial services sector, he adds.
The CERT-Fin needs to provide timely advisories, threat indexes and guidelines on malware, phishing trends, ATM threats, card data protection and card fraud, Sarkar says.