On October 31, 2019, we launched our report Study on routes for the disclosure of digital security vulnerabilities, in which we analyze the state of the art in Colombia in relation to the coordinated and responsible disclosure of digital vulnerabilities, failures and violations of data security. In order to impact public policy and generate a constructive dialogue with government entities that play a role in this topic, we invited representatives of the Ministry of Justice and Law, the Ministry of Defense, the Ministry of Information Technology and Communications, the Office of the Attorney General of the Nation, the National Police, the National Copyright Directorate, the Delegation of Data Protection and the colCert to a working breakfast.
There we had the opportunity to share our analysis and recommendations. We also received feedback and criticism from those who participated. At the special request of the representative of colCERT, we offer this space on our blog to share the reply that they sent us in order to clarify some points in our investigation and offer more information about additional topics. Below we share their answers to some points addressed in our report regarding the role of colCERT.
colCERT’s reply has been condensed and summarized for clarity.
- About the Forum of Incident Response and Security Teams (FIRST), a global organization that brings together the working groups responsible for responding to digital security incidents (CERT or CSIRT), and our criticism that colCERT is not part of this forum.
While it is true that today we are not members of FIRST, we were members until October 2016. It was due to budgetary issues within the Ministry of Defense that it was decided not to renew this membership.
It is important to clarify that FIRST is not the only international organization that fulfills these activities. The CERT Coordinating Center of Carnegie Mellon University recognizes colCERT as a National Incident Response Team. At the level of the Americas, colCERT actively participates in CSIRT Americas, whose pillars focus on collaboration and information exchange, on technical projects and on cybersecurity events, all under the OAS Cybersecurity Program.
Here are some examples of activities developed by colCERT within the framework of cooperation and digital security:
2. About our criticism of the lack of updating of the latest digital security alerts on the colCERT website.
Currently, we publish every week on the colCERT website the alerts about the main vulnerabilities shared by the US-CERT and the National Institute of Standards and Technology (NIST or National Institute of Standards and Technologies) registered in the National Vulnerability Database (NVD).
In addition, all communications about alerts and vulnerabilities that may affect Colombia’s digital security are published through our official Twitter account at @colCERT.
3. About our comment that colCERT has a single button to report vulnerabilities and incidents.
colCERT’s website have three buttons to report:
- Incidents or vulnerabilities, which were worked differently from the way CERTs do internationally, that is, we publish a basic template that must be answered when the report of an incident is sent according to a taxonomy previously defined for the classification of incidents
- Information about cybercrimes.
4. About our wake-up call pointing out that the colCERT website does not implement the HTTPS secure data transmission protocol.
While it is true that the portal does not have an SSL certificate, colCERT can demonstrate its level of trust on the Internet through the implementation of good DNS security practices such as DNSSEC, DMARC and DKIM. It is important to highlight that the “colCERT is the only entity in the 8264 government domains that have implemented the ‘DNSSEC’ DNS assurance nationwide, whose signature from the root provides the highest reliability on the internet and protects its authenticity through cryptography of public key ”.
In 2020, we plan the development of a transactional portal that allows offering digital security services in Colombia according to the new guidelines of gov.co.
5. About our criticism that the colCERT’s link to the Ministry of Defense discourages the report of vulnerabilities by citizens.
It is not entirely true that this fact discourages people from reporting vulnerabilities. Currently, colCERT receives anonymous reports from companies and people who responsibly report vulnerabilities. We also receive reports from international counterparts and manufacturers with whom we have a close cooperative relationship. An example was the exercise that was carried out last year with the insurance of ECENSO. The colCERT led the working groups with DANE and the other entities involved with the safety of the platform.
On the other hand, it is important to highlight that colCERT actively participates in the Digital Security Committee of the Presidency of the Republic, in addition to participating in the construction of the following regulatory provisions:
- Circular 007 of 2018, which has the report of incidents to colCERT by the entities supervised by the Financial Superintendence of Colombia.
- Resolution 5569 of 2018 of the Communications Regulation Commission, which reports incidents to colCERT by internet operators.
From Karisma we appreciate this reply. We believe that it is through dialogue that public policies are improved and all input will be important for decision-makers.