Hungary (HU)

Hungary was one of the first countries in Central Europe to formulate its national cybersecurity strategy. The National Cyber Security Strategy of Hungary (NCSS) was adopted in 2013: www.nbf.hu/legis.html. It is based on the foundations of EU and NATO cybersecurity principles and follows the mainstream take on cybersecurity strategies (values, environment, objectives, tasks, and tools). The document uses a comprehensive approach: co-operation between state and non-state actors; military and law enforcement, and economic and political stakeholders. The Strategy also provides for the establishment of the highest political coordination body, the National Cyber Security Coordination Council.

Objectives

Obj. 1 - Building response capability: having efficient capabilities to prevent, detect, manage (respond to), address and correct any malicious cyber activity, threat, attack or emergency, as well as accidental information leakage. To achieve these goals, the very first step was to establish the GovCERT-Hungary. Hungary lays down the requirement that the Hungarian cyberspace shall provide a secure and reliable environment:
Obj. 2 - Creating a secure environment: providing appropriate protection for its national data assets, to ensure the operational safety of the cyberspace functions of its vital systems and facilities, and to have a sufficiently fast, efficient, loss-minimising correction system in situations where a compromise occurs, which can also be used at times of a special legal order (i.e. emergency situations).

Obj. 3 - Applying international standards: ensuring that the quality of IT and communication products and services required for a secure operation of the Hungarian cyberspace reaches international standards, with special emphasis on compliance with international security certification standards.

Obj. 4 - Improving education: ensuring that the standard of cyber security education, training and research and development is consistent with international best practices, promoting the establishment of a world-class Hungarian knowledge base. The government declared a significant role for the National University of Public Service in this matter, operating as the main base of education, training and research in the field of information security.

Obj. 5 - Protecting the future generation: ensuring that the establishment of a secure cyberspace for children and future generations is consistent with international best practice.

Priorities

  • For individuals and communities: ensure social development and integration through free and secure communication guaranteeing the protection of private information.
  • For individuals and communities: ensure social development and integration through free and secure communication guaranteeing the protection of personal information.
  • For economic actors: develop efficient and innovative business solutions.
  • For future generations: ensure value-based education and the collection of experience resulting in healthy, undisturbed mental development.
  • For electronic public administration: promote the innovative and future-oriented development of public service.

 

NATIONAL CYBER SECURITY STRATEGY - NIS Capacities

Year of adoption 2013
Updates and revisions

The National Cyber Security Strategy of Hungary (NCSS) was adopted in 2013, enacted by Government Decision No. 1139/2013.

Implementation and monitoring

The National Cyber Security Coordination Council, created by the National Cyber Security Strategy, is the highest political coordination body in Hungary. The members of the Council are the ministerial leaders delegated by the ministers with responsibilities in the field of cyber security matters – including State Secretaries of Defence, Interior, Foreign Affairs and Trade, Finance, National Development – together with the heads of independent public entities, such as the Hungarian National Bank, and the National Media and Telecommunications Authority.35 The Council operates under the supervision of the Ministry of Interior.

Operational capacity building

Government Computer Emergency Response Team, GovCERT-Hungary: www.cert-hungary.hu, established 2013 (Hungarian with some information in English).

The core operational cyber security capabilities and cyber incident management are centralised to the governmental computer emergency response team in Hungary, GovCERT-Hungary, which is part of the National Cyber Defence Institute and supervised by the Ministry of Interior. GovCERT-Hungary provides services for the whole Hungarian governmental administration – especially for the government backbone system, for critical infrastructures and the municipalities.

GovCERT-Hungary has nearly 4,000 institutions as partners, and contributes to the protection of critical infrastructure with the National Directorate General for Disaster Management.

  • GovCERT-Hungary has growing capabilities in: information exchange, sharing, publishing, information security awareness campaigns, training, technology watch, security consultancy, cyber incident response, coordination, resolution, basic malware analysis, manual analysis of system and firewall logs, source code validation, forensic examinations, and network traffic evaluation.
  • GovCERT-Hungary participates in national and international cyber defence and crisis management exercises on regular basis. The agency also provides educational materials and holds training sessions for their constituents
  • GovCERT-Hungary liaises with the private sector for the purposes of promoting information exchanges and raising awareness in the field of information and network security in the private sector.
  • As a national contact point, GovCERT-Hungary builds active co-operation within the international Computer Security Incident Response Team (CSIRT) and Critical Information Infrastructure Protection (CIIP) community.

Sectorial CERTs are also being established: beyond the existing CIIP CERT (operating under the National Directorate General for Disaster Management), another two are being set up, one for defence within the Military National Security Service, and another one for civilian intelligence within the Information Office.

Other capacity-building measures: research and education

In March 2017, the National University of Public Services (NKE) in Budapest has set up an academy of cyber security.

The Cyber-Security Academy is responsible for synchronizing the existing resources of each faculty, research facility and workshop, to support cyber security research and experts, and to improve IT infrastructure and establish a special laboratory for it.

Legal conditions

The legal framework of most of the Hungarian cyber security organisations was founded by the Act L of 2013 on the Electronic Information Security of Central and Local Government Agencies, and it was the first legal act based on the National Cyber Security Strategy: www.nbf.hu/legis.htm.

Act L of 2013 (also referred as ’information security law’ or ’cyber law’) became the second main pillar to deal with the cyber defence structure. The provisions of the Act are quite wide and applicable to:

  • Constitutional and central state administration bodies, except for the Government and Government Committees.
  • The offices of the representative bodies of local and nationality governments and the administrative associations of the authorities.
  • The Hungarian Defence Forces.

Governmental organisations and bodies have to reach different security institutional levels in information security, categorised on a five point scale from level 1 to level 5. These levels, depending on the tasks and importance of the organisation, require different security personnel, measures and documents (e.g. IT security officers, log analysis, permanent vulnerability testing). Level 5 organisations have the most strict criteria. The latest guide to declaring these levels is the Executive Decree of the Minister of Interior 41/2015 (15 July).

Legislation/policy requiring security practices/requirements to be mapped to risk levels: Act CLV of 2009 on the Protection of Classified Data, njt.hu/cgi_bin/njt_doc.cgi?docid=126195.265401, maps various security practices to assigned classification levels based on the level of risk involved in disclosing the information.

The National Electronic Information Security Authority, which operates under the supervision of the Ministry of Interior, handles and controls the data of central and local government agencies regarding their cyber security policies and declared security institutional level stipulated by confidentiality, integrity and availability.

Business and Public Private Partnerships

While the National Cyber Security Centre is tasked with liaising with the private sector, there are no formalised public-private partnerships.

The National Cyber Security Forum is a body of the National Cyber Security Coordination Council, giving the opportunity for business CEOs, academic and NGOs’ leaders to meet with governmental decision makers. Through the Forum, the non-state sector could become an active partner with the government during the legislative process. Moreover, national and international companies hold great knowledge and experience in the field of cyber security, which should be shared.

Last WISER update July 2017

 

Compliance with the GDPR and NIS Directive: Report a cyber incident

Report a cyber incident to national CERT/CSIRT

GovCERT-Hungary: (Hungarian, http://www.cert-hungary.hu/incidensbejelentes) operates an onsite 24/7 duty service to handle incidents.

Incident reports should be sent to the Center by email with all relevant and additional information (e-mail headers, log files, etc.), which is necessary to understand the incident, thus helping our Center to take appropriate measures as soon as possible.
E-mail: cert@cert-hungary.hu
PGP: http://www.cert-hungary.hu/en/pgp/team

Telephone: 00 36 (1) 336 4833

Guidance and Updates

The GovCERT.HU website: http://tech.cert-hungary.hu/ provides information about services, incident reporting and announcements, .e.g. http://tech.cert-hungary.hu/.

Overall assessment 

GovCERT-Hungary provides all the core services but needs to step up a gear in providing updates on the cyber threat landscape, on raising awareness and educational programmes. It should also strengthen links between local government, businesses and educational institutions to create more effective public-private partnerships as there do not seem to be any cybersecurity clusters that could support such partnerships.

Languages Hungarian with some information in English.
Latest WISER update July 2017

 

Contact us for more info