Lately I find myself attending meetings where the need for a single coordinating body over the various efforts of computer / network / cyber security is stressed. Roll back 15 years:
Once upon a time (circa 1996) the GRNET-CERT was formed. It was nothing official, just three guys (me, Georgios Koutepas and Costas Troulos) and a mail alias. Since we had no funding and the legal landscape was non-existent our main focus was on trying to stop whatever incidents occurred. It seemed to work pretty well at the time. We even managed to find some funding and some of us attened FIRST‘s 1998 and 1999 meetings. With the emergence of the GRNET2 project GRNET-CERT was handed over to another institute for operations. Our interests had already shifted from (pure) incident response and we never really followed-up the national progress on that front.
In the meantime the Greek state responded to the void that was forming regarding the legal side of matters. And it did so in the wisest of ways that we are used to being treated to. It formed a multitude of authorities to cover the area, sometimes conflicting one another. Nature abhors vacuum, but as Rob Pike said “sometimes when you fill the vacuum, it still sucks”. There can appear types of incidents that might require reporting to three (or even four) different authorities with no clear roadmap on what one is expected to do if one receives conflicting guidance on subjects that at times require rapid response.
It is a saddening thought to see that the manpower and the resources exist (something that was not that obvious back in 1996), that people with skill, knowledge and willingness to work exist, yet the overall progress is kind of minimal.
Managing organized complexity 