Interview with B.Bilegdemberel, Director General of the Digital Development Policy Implementation and Coordination Department of the Ministry of Digital Development and Communications.
– Information security is a sensitive issue in Mongolia. Last fall, the first cybersecurity law was passed which could not approve the Parliament for more than a decade. Let’s start the interview with detailed information on the specific provisions of this law.
– The main feature of the Law on Information Security is that it specifies 17 organizations with critical infrastructure. In other words, those 17 organizations’ information system failures can cause a social and economic impact on their sectors. It is noteworthy that the law stipulates that these organizations must have an independent security audit every two years and improve their operations. At the same time, the law provides for the support of intelligence agencies, the Ministry of Digital Development and Communications, and the Armed Forces in matters related to them. This law shall come into force on May 1, 2022. Therefore, in preparation for the implementation of the law, we have established the National Cyber Security Strategy, General Security Procedures, Cyber Attacks and Conflict Response Plans, Communications, Information Technology Audits, Information Security Audits, and Cyber Security Risk Assessment Procedures. The documents are being developed and approved in cooperation with relevant organizations.
– What has the Ministry of Digital Development and Communications done in the past to ensure information security?
-We are conducting a study on the readiness of the Center for Combating Cyber Attacks and Conflicts in cooperation with the International Telecommunication Union, and the final report will be released in late April this year. In collaboration with the Software Institute of the Carnegie Mellon University in the United States, online training on “Creating a Computer Security Incident Response Team (CSIRT)” was organized to improve the capacity of cyber security professionals. Total of 37 employees attended the training from a total of 20 private organizations with public and critical information infrastructure. Ministry also agreed to implement the project with the Japan International Cooperation Agency (JICA) to train and improve the skills of the teachers who are specialized in information security. The decision will be finalized in April this year and the training will begin in October.
-The official Facebook page of the “e-Mongolia” system has been hacked. Rumors got viral online that information has been lost. What would you say in this regard?
-The Ministry of Digital Development and Communications and the “E-Mongolia” Academy use Facebook as a public communication channel to announce their work to the public, communicate quickly with citizens, and listen to their comments and complaints. It’s like people interacting with each other on Facebook. I assume that one of the admins of this social network page has lost the password. At the time, other admins were notified and immediate action was taken from META to suspend the page within 10 to 20 minutes. As a result of our team’s prompt action to rename the page in accordance with META’s service rules, we were able to fully restore the page in a short period of time. We are now working with META to find out where and for what purpose the attack took place. We are also making accountability measures on E-Mongolia Facebook page admins.
But there seems to be a misunderstanding among citizens. The e-Mongolia Facebook page was hacked, but the system was not hacked. The e-Mongolia system is a separate concept. The system is located in Mongolia. There are government agencies responsible for information, and it is an integrated public service system that provides public services to citizens electronically through a single-window which uses the government information exchange system. Just as citizens use Facebook to communicate with each other, the e-Mongolia Facebook page was a channel for communicating and informing citizens, not a system that provides public services.
– Citizens have an attitude that information security should be protected only by the state. However, in addition to the government and the legal environment, citizens should be able to protect their own information security and gain knowledge and information in this area. What advice would you give in this regard?
-Studies show that 80 percent of information security depends on individuals and 20 percent on technology. Therefore, first of all, citizens should keep their passwords secret from others. At the very least, don’t go to the store and say your card’s password. If the PIN code of the card is lost, there is a risk of losing money in the account. You also need to have a basic knowledge of how to secure your social network, such as strengthening your password and avoiding easy-to-guess passwords. Ensuring information security is directly related to the habits and knowledge of citizens, rather than protecting it with technology.
-The State Secretary of the Ministry of Digital Development and Communications once said in an interview with zarig.mn that Ministry is cooperating with MNCERT NGO to ensure the security of the e-Mongolia system. However, MNCERT NGO stated that they did not cooperate with your ministry. Can you clarify this?
-The “e-Mongolia” system is an integrated system of public services according to the Law on Public Information Transparency. If a government organization provides services electronically, the goal is to connect to the e-Mongolia system and provide a single window. The National Center for Combating Cyber Attacks, which by law is part of the intelligence community, should support information security in government information systems. However, for the responsible organization to have risk prevention policies, rules, and procedures, conduct information security inspections, and take measures to detect vulnerabilities, the main conditions for the organization to reduce the information security risk.
There is no concept of 100 percent protection against attack. In any case, there is a risk. However, in the event of a risk and loss of normal operations, conditions must be created for a speedy recovery. In other words, information security risk assessments are contracted out to publicly used systems, and gaps are identified and mitigated.
MNCERT provides cyber security training, counseling, emergency assistance, and security information to its member organizations. The organization cooperates with our ministry in the form of comments and suggestions on draft rules and regulations in accordance with its professional and operational areas. In other words, the MNCERT NGO voluntarily provides advice, support, and assistance to ensure that government policies are appropriate to ensure the security of social information.
Secretary of State B.Bolor-Erdene’s interview with zarig.mn was in November 2021. At the time, the Communications and Information Technology Authority was contracted to work with two members of the MNCERT NGO. On December 16, 2021, with the approval of the Cyber Security Law, the agreement with the two members of the organization expired. In 2022, the Communications and Information Technology Authority was dissolved and became the Ministry of Digital Development and Communications, without any contract with any organization. The cyber security law will come into force on May 1. The law addresses the issue of the emergency response team. We are conducting a study on Computer Emergency Response Team.