Information Security has become a hot topic in Thailand, and indeed throughout the world, now that so much of our daily lives and interactions take place on the Internet. With a population of 67M, of which 5.5M have a broadband internet connection and 98M mobile devices in use, Internet penetration is quite high.
New and updated laws have recently been passed to align the values and requirements of our society with the modern information age. Critical Information Infrastructure has been defined that needs extra efforts for resiliency and security to guarantee confidentiality, integrity and availability: security teams must be set up.
Of course this is very exciting news for the security community, but how can this be accomplished on a country scale? With (tens of) thousands of organizations in the country, where are the people going to come from to form those security teams? And even if it is somehow possible to find that many people, how can we help the organizations so they don’t each have to reinvent the wheel by themselves?
The path we have chosen is a top-down multi-layer approach, a concept we call sector-based CERTs, as it requires less immediate availability from the already very limited pool of trained personnel. For people familiar with the term ISAC (Information Sharing and Analysis Center), a sector-based CERT is like an ISAC, but with strong incident handling capabilities on top.
We start by establishing one CERT for each sector. All organizations operating in the same sector can then become a member (‘constituent’) of the CERT. Once this CERT is operational, the individual member organizations get a much clearer view of the current situation and challenges in their sector and in general, allowing them to make informed decisions about how to proceed. Smaller organizations may for example decide to keep the situation as it is, outsourcing security to the sector-based CERT, while larger organizations may see a need to establish their own in-house security (CERT) teams and only use their sector-based CERT membership for threat intelligence and information exchange.
As a public organization, ThaiCERT plays a facilitating and advisory role in the establishment of these sector-based CERTs. This includes providing training, exercises and drills. As a National CERT, ThaiCERT also receives much threat intelligence for the country as a whole, which can be shared with the appropriate teams, and as an active member of the international security world, coordination with international partners generally helps to solve cross-border security incidents.
This setup is being implemented at the moment and already shows signs to be a successful approach.
However, this is just the start, layer 2 (if we count the National CERT as layer 1). With an ever-increasing workload, it is hard to retain the existing staff, let alone find new people to expand capacity and capabilities. There is no such thing as a “CERT University” where we can easily draw many students from every year, who can fill the available positions. Thankfully we do see an increasing number of universities offering specific information security curriculums, but until students are starting to graduate (i.e. a number of years from now), the problem of finding enough staff remains a while longer.