Cyber

The Cyber Emergency Response Plan defines the action the government must take in the event of a technical flaw or large-scale attack on the information systems of the public and/or private sector.

The Cyber Emergency Response Plan aims to:

• decree preventative and protective measures,
• set the bodies that will manage the crisis,
• define the emergency measures, associated actions and the respective stakeholders and figures in charge,
• set out the process for raising the alarm for the authorities and providing information to the public.

A cyber emergency is a situation which results from an incident or attack which risks leading to a major malfunction or unavailability of communication systems and information processing which threatens the vital interests or essential requirements of all or part of the country or population of the Grand Duchy of Luxembourg.

The term cybersecurity encompasses all the tools, policies, security concepts, security mechanisms, guidelines, risk management methods, actions, training, good practices, guarantees and technologies that can be used to protect the cyber environment and assets of organisations and users.

The main security aims are as follows:

• availability;
• integrity, which can include authenticity and non-repudiation ;
• confidentiality.

The execution of the plan developed under the leadership of the High Commission for National Protection (Haut-commissariat à la protection nationale, HCPN) falls under the remit of the Prime Minister, Minister of State, the Minister for Communications and Media and the Minister of the Economy.

All the ministries, agencies and departments of the State are required to cooperate with the implementation of the Cyber Emergency Response Plan using all the means available to them.

The Cyber plan sets the following management bodies in a cyber emergency:

• the Crisis Cell (Cellule de crise, CC) ;
• the Operational Cell (Cellule opérationnelle, CO);
• the Cyber Risk Evaluation Cell (Cellule d’évaluation du risque cyber, CERC);
• the Communication/Information Cell (Cellule communication/information, CCI).

The Crisis Cell (Cellule de crise, CC) is activated by the Prime Minister and Minister of State in the event that a crisis is imminent or has occurred. It initiates, coordinates and monitors the execution of all the measures intended to deal with the crisis and its effects in order to return the situation to normal. It prepares the necessary decisions and submits them to the government for approval. In the event that operational intervention is required on the ground, the CC's mission extends to coordinating and monitoring its execution.

In an emergency, the Crisis Cell is composed of:

• the High Commissioner for National Protection;
• the Director-General of the Grand Ducal Police;
• the Director of the State Intelligence Service;
• the Chief of Staff of the armed forces;
• the Director of the State Information Technology Centre;
• the head of the Media and Communications Service;
• the head of the Government Communication Centre;
• the Director of the government's Computer Emergency Response Team (CERT);
• the Director of the Computer Incident Response Center Luxembourg (CIRCL);
• the Director of the Office for crisis communication.

The Crisis Cell (CC) operates throughout the duration of the crisis until the situation returns to normal: it initiates, coordinates and monitors the execution of all the measures intended to deal with the crisis and its effects in order to return the situation to normal.

The Crisis Cell (CC) can appoint an operational cell to execute, implement and monitor the ordered measures and activities.

Vigilance entails gaining an understanding of the cyber threat and taking due account of it in order to adjust the population's behaviour and the protective measures applied.

The role of the Cyber Risk Evaluation Cell (CERC) in managing the crisis is to monitor the changing situation and inform the Crisis Cell (CC). Made up of experts, it evaluates the situation and increases surveillance before the Crisis Cell is activated.

The Communication/Information Cell (Cellule communication/information, CCI) is in charge of communication and providing information for the media and citizens. The horizontal coordination of organising external communication falls to the Office for crisis communication (Service de la communication de crise).

The wider public will be informed of the changing situation by the government and via the website www.infocrise.lu.

The plan provides those charged with its execution with the tools they need to react in an appropriate and flexible manner to the events that occur and to provide the best possible protection for the citizens or sectors affected, their vital interests and the nation's economic interests.

The Cyber plan sets out seven measures:

• Evaluation;
• Increased surveillance;
• Technical analysis;
• Isolation;
• System upgrade and protection;
• Activation of the national cyber reserve;
• Restoration of services.

This is the first measure in the crisis management cycle. It enables the authorities to evaluate the degree of urgency and the impact of the incident on Luxembourg.

The increased surveillance measure includes the actions to be implemented during a risk situation. It concerns in particular

• writing reports on network traffic, the state of the network infection and the effectiveness of the counter measures in place;
• evaluating all the statistics and data available to determine the severity of the situation and to be able to react instantly if necessary.

'Technical analysis' is a measure that groups all the actions required to analyse in detail the attack, intrusion or other IT incident that could be linked to or could have caused the crisis situation. It also involves identifying all the systems affected to some degree (collateral damage) in order to organise coordination of and cooperation between the stakeholders involved and the international CERT community.

The 'isolation' measure acts on network traffic to counter any denial-of-service attacks (distributed or not). It can also be applied to effectively isolate the systems under threat and avoid any information leaks.

The 'system upgrade and protection' measure aims to contact potential targets, listed depending on the type of attack, in order to verify the existence of certain vulnerabilities that may be exploited by a threat. This list also includes the systems that may be targeted by an attack.

Having verified the vulnerabilities in a situation, the CERC will propose that the CC put in place

• preventative measures concerning potential targets,
• protective measures for potential targets,
• or that the CC should partially or fully disconnect a target.

The 'isolation' measure is triggered if disconnecting a potential target is appropriate.

'Activating the national cyber reserve' is a measure that aims to call on experts from the information systems and communication security sector of the public administration. If required and for specific areas, the reserve can be supplemented by experts from the private sector or international organisations of which Luxembourg is part.

This measure is only triggered in a crisis of significant scope with a considerable impact.

In general, this cybersecurity strategy aims to protect public and private stakeholders against cyber threats while creating the best conditions for economic and social development in cyberspace.

Seven objectives have been developed, accompanied by action plans with precise schedules and designation of the stakeholders responsible for implementing around forty actions, which should enable this new national cybersecurity strategy to be appropriately implemented by the end of 2017.

• Objective 1: To strengthen national cooperation
• Objective 2: To strengthen international cooperation
• Objective 3: To increase the resilience of the digital infrastructure
• Objective 4: To combat cyber crime
• Objective 5: To inform, train and raise awareness on the risks involved
• Objective 6: To put in place the required norms, standards, certificates, labels and reference documents for the State and critical infrastructure
• Objective 7: To strengthen cooperation with the academic and research worlds

The Council of Government approved an update to the national cybersecurity strategy II on 27 March 2015.

As the national authority for the security of both classified and non-classified information systems used by the State and operators of critical infrastructure for their own requirements, the ANSSI will set the policies and guidelines in this area, ensure that the measures related to information system security are put in place and that their application is guaranteed, and certify the means for processing non-classified information (systems, services, infrastructure or the premises containing them).

The ANSSI will also run the national CERT (national computer emergency response team) and governmental CERT (government computer emergency response team).

The draft Grand Ducal decree was adopted by the Council of Government on 21 January 2015.

En tant qu’autorité nationale en matière de sécurité des systèmes d’information classifiés et non classifiés et exploités par l’État et les opérateurs d’infrastructures critiques pour leurs besoins propres, l’ANSSI définira les politiques et les lignes directrices en cette matière, veillera à ce que les mesures concernant la sécurité des systèmes d’information soient mises en place et que leur application soit garantie et certifiera les moyens de traitement de l’information non classifiée (systèmes, services, infrastructures ou locaux les abritant).

L’ANSSI assurera aussi la fonction de CERT national (centre national de traitement des urgences informatiques) et gouvernemental (centre gouvernemental de traitement des urgences informatiques).

Le projet d’arrêté grand-ducal a été adopté par le Conseil de gouvernement le 21 janvier 2015.

Functioning under the authority of the Minister for Communications and the Media and composed of representatives from the ministries concerned, the mission of the CSB is to define and develop a strategy for information system security.

The first strategic plan from 2011 has been adapted and the Council of Government approved the update to the National Cybersecurity Strategy II on 27 March 2015.

GOVCERT.lu works both on a national and international level to protect the Grand Duchy of Luxembourg from the main cyber threats in order to create an environment that is easy to use, safe and reliable for Luxembourg's businesses and to protect the private lives and basic rights of the citizens of Luxembourg.

Launched on 8 June 2015, the national platform for the promotion of cybersecurity SECURITYMADEIN.LU is an initiative from the economic interest group 'Security made in Lëtzebuerg' (SMILE) which was mandated in 2010 by the Ministry of the Economy to promote and strengthen information security in Luxembourg.

The four objectives of SECURITYMADEIN.lu are:

• to coordinate government initiatives like BEE SECURE (awareness raising for the general public), CASES (promotion of information security in businesses) and CIRCL (post-incident coordination and action services);
• to back and make more visible the awareness raising and support actions of these different initiatives among their target audience;
• to promote the whole information security community;
• to develop a cybersecurity ecosystem which will make the stakeholders and services related to information security in Luxembourg more visible.

Launched on 8 November 2010, BEE SECURE is a common initiative from the Ministry of the Economy, the Ministry of Family Affairs, Integration and the Greater Region and the Ministry of Eduction, Children and Youth. It includes all the necessary actions for raising awareness of how to use new information communication technologies more securely.

The objective of the Safer Internet Plus programme from the European Commission is to encourage European citizens to use new information technologies securely and confidently.

In line with this policy, the main strategic priorities of the Safer Internet Plus programme, as well as those of the BEE SECURE project as part of this programme, are:

• to promote a safer use of the internet and current communication technology, in particular among young users,
• to educate users in this area, particularly children, teenagers, parents, teachers and educators,
• to combat illegal content and dangerous online behaviour.

CASES.LU, Cyberworld Awareness & Security Enhancement Services, is the information security portal designed for SMEs, citizens and administrations of the Grand Duchy of Luxembourg.

The CASES project aims to raise awareness among internet users of the issues linked to the security of communication and information systems and networks. The website provides a three-pronged approach:

• SOS - require assistance;
• protect yourself;
• master security.

The Computer Incident Response Center Luxembourg (CIRCL) is an government initiative for the private sector, municipalities and non-government entities which aims to provide a systematic response centre for threats and incidents that affect computer security.

The objective of CIRCL is to provide optimal protection for information and communication systems, guaranteeing an alert and warning system for users in Luxembourg.

International cooperation is guaranteed and international assistance is possible for any cyber crisis that could become international in dimension, both from CERTs and international organisations of which the Grand Duchy of Luxembourg is part (European Union, Benelux, NATO, UN, OSCE).Toute crise cyber étant susceptible d’avoir une dimension internationale, une collaboration internationale est garantie et une assistance internationale est possible tant au niveau des CERTs que dans le cadre des organisations internationales dont le Grand-Duché de Luxembourg fait partie (Union européenne, Benelux, OTAN, ONU, OSCE).