Photo credit (Robert Schischka): Anna Rauchenberger
Robert Schischka, CEO of nic.at and Head of CERT.at, discusses the origins of Austria’s national CERT, the importance of information sharing, and why organizations often learn more from near misses than from successful cyberattacks.
Laura Kaltenbrunner: Mr. Schischka, how did you get involved in cybersecurity, and eventually with CERT.at?
Robert Schischka: My background is in technology. During my university years, I became deeply involved with computer networking and later spent seven years teaching at the Vienna University of Economics and Business. After that, I joined a subsidiary of the Austrian National Bank, where I worked with the very first versions of digital signatures and Austria’s electronic citizen card.
After several years in consulting, I eventually joined nic.at. Since we operate critical infrastructure, security has always been a major concern.
In 2008, we started asking ourselves why Austria still didn’t have a national CERT. At the time, we were one of the very few countries without such an organization.
The owner of nic.at—a foundation whose mission includes promoting the development of the Internet—ultimately decided to establish CERT.at and provide the initial funding that would allow us to operate independently. Trust is one of the fundamental pillars of the digital world — from e-commerce to everyday communication—so strengthening cybersecurity and trust perfectly aligned with the foundation’s mission.
Laura Kaltenbrunner: Austria didn’t have a national CERT at that time. Why was that?
Robert Schischka: A national CERT is ultimately a cost center rather than a profit center. Its services are neutral, independent, and not tied to selling products or consulting services. Under those conditions, operating such an organization simply isn’t commercially attractive.
In most countries, CERTs therefore emerged either from universities, government institutions, or public-private partnerships.
People simply recognized that there was a need and decided to establish one.
Austria also benefited from its close relationship with the University of Vienna, where an academic CERT already existed. Their primary responsibility was supporting universities, but because they were the only visible cybersecurity contact point in Austria, they received many reports from outside academia as well.
The underlying idea behind CERTs is that each community should organize its own incident response capabilities. Today, Austria has several specialized CERTs, including ACOnet CERT for academia, Austrian Health CERT for healthcare, Austrian Energy CERT for the energy sector, and GovCERT for federal and regional government. The national CERT therefore also acts as a fallback whenever no other organization is responsible — if in doubt, reports eventually end up with us.
Laura Kaltenbrunner: What role does CERT.at play within Austria’s cybersecurity ecosystem?
Robert Schischka: One advantage of our position is that we are neither a government authority nor a commercial security provider. We cannot impose penalties, nor do we compete with anyone because we neither sell products nor provide consulting services.
For us, information and trust are the most important assets.
Organizations benefit enormously from learning that someone else has encountered a particular problem before they experience it themselves. But to make that work, people need to feel comfortable talking about what went wrong and what mistakes were made.
Many organizations are understandably reluctant to have those conversations with authorities that may later impose penalties. Companies worry about media attention, reputational damage, or commercial consequences.
That’s why we see ourselves as an information hub. We collect information, enrich it, anonymize it where necessary, and distribute it again. The identity of the affected organization is usually not what matters most. What matters is understanding the attack pattern. How did the attackers operate? How can others detect similar activity? How can they minimize the damage? Those are the insights that benefit everyone.
Laura Kaltenbrunner: You’ve spoken a lot about voluntary information sharing. Where do mandatory reporting requirements reach their limits?
Robert Schischka: Mandatory reporting naturally creates a certain psychological barrier. Internationally, we’ve seen that the higher the barrier to reporting an incident, the more organizations filter their information before they report anything at all.
A good historical example was the telecommunications regulation, which required providers to notify Austria’s regulatory authority (RTR) once specific thresholds had been exceeded.
In practice, however, very few reports contained information that was actually useful. Everything was filtered through legal departments until only the absolute minimum remained. And if the reporting threshold wasn’t reached, nothing was reported at all.
What we actually need are reports about near misses. If 50,000 people in Austria suddenly can’t make phone calls, nobody needs a formal report — that’s already on the front page of every newspaper.
What interests me is the incident where someone detected the attack just in time. An attack occurred, the attacker was identified, countermeasures were implemented, and fortunately nothing serious happened. Those are exactly the situations we can learn from.
Unfortunately, mandatory reporting often doesn’t capture those kinds of incidents. That’s why we position ourselves as an interface between authorities and affected organizations, enabling meaningful information to be shared quickly. Other organizations can then learn from those experiences and avoid making the same mistakes.
The focus isn’t on assigning blame or threatening sanctions, but rather on improving the overall resilience of an entire industry—or society as a whole.
Laura Kaltenbrunner: How does this information sharing work in practice?
Robert Schischka: There are several ways. Some reports come through formal reporting portals or online forms, others arrive via email, and very often people simply pick up the phone.
Within the CERT community, we rely heavily on Mattermost as a real-time collaboration platform. Members of our Austrian Trust Circle, for example, actively exchange observations there. If someone notices unusual attack patterns, they can immediately share them with the community.
And if someone says, “I’ll tell you this, but please keep us anonymous,” then we naturally handle that through direct communication channels. In reality, many of the most valuable exchanges happen over the phone or during personal conversations.
Beyond that, we also receive information from automated systems, international CERT networks, and numerous external intelligence sources.
One particularly valuable source is Shadowserver, a non-profit organization that forwards everything with an Austrian connection to us. We then enrich that information using our own systems and map it to the affected organizations.
At the same time, it’s important to learn how to assess the quality of different intelligence sources. Some are excellent for specific topics. Others create an impression of great importance, require extensive confidentiality agreements, and then fail to provide something as basic as an accurate timestamp. The quality of intelligence can also fluctuate significantly over time.
Laura Kaltenbrunner: Trust seems to play a central role in the work of CERT.at. How do you build an environment where people are willing to share information?
Robert Schischka: We’ve launched several initiatives, including the Austrian Trust Circle. Its entire purpose is information exchange — learning from each other’s experiences and turning those lessons into practical value.
We meet in person several times a year, bringing together people from a wide range of industries. The goal isn’t to present success stories. It’s to openly discuss what happened and what didn’t go well.
Building that level of trust took time. In some cases, it took several years before people felt comfortable sharing their experiences.
One defining moment for me was the Conficker worm outbreak in the Austrian state of Carinthia. We convinced the head of IT for the regional government to openly describe what had happened during the crisis and how the incident response had unfolded.
For many participants, that level of openness became a turning point. It made the value of these discussions tangible. The principle is simple: this time I share my experience, next time you share yours—and both of us benefit.
Laura Kaltenbrunner: What does everyday life at CERT.at actually look like?
Robert Schischka: When we first established CERT.at, we naturally had certain expectations about what our daily work would involve. Looking back, some of those assumptions turned out to be completely wrong.
The classic image of incident response — arriving with an emergency toolkit, being dropped into a company in crisis, and saving the day — actually happens very rarely.
A large part of our work consists of collecting information, evaluating it, and sharing it with others.
One thing that absolutely proved true, however, is how important social skills are.
We need people with a solid technical background. But if I have a brilliant technician whom I can’t let talk to other people, that doesn’t help us very much. Our experts need to explain complex technical situations to non-technical decision-makers and clearly communicate what has happened and what needs to happen next. Otherwise, all the technical expertise in the world doesn’t create much value.
Laura Kaltenbrunner: When should an organization contact CERT.at?
Robert Schischka: Ideally, as early as possible. If an organization falls under NIS2 and experiences a significant incident, reporting will become mandatory anyway.
But we’re equally interested in incidents beyond mandatory reporting requirements. If an organization believes it has observed something technically interesting that could benefit others, we’d very much like to hear about it.
The most important advice is to preserve evidence and avoid destroying artifacts whenever possible.
Many organizations panic and immediately pull the plug. That’s understandable — protecting yourself naturally comes first. But if you have the opportunity to preserve forensic artifacts and share them, that can make an enormous difference for everyone else.
Laura Kaltenbrunner: Why do we need specialized CERTs like the Energy CERT in addition to the national CERT.at?
Robert Schischka: When people think about critical infrastructure, energy is usually the first thing that comes to mind. Without electricity, everything becomes very dark very quickly.
That’s why there was a need for a dedicated community focused specifically on the energy sector and operational technology (OT)—production systems, industrial control systems, and energy distribution. Those environments require highly specialized expertise, and therefore a specialized CERT as well.
Many OT systems are designed to remain in operation for decades. You can’t simply say, “This device no longer receives security patches, let’s replace it.” We still encounter equipment that was designed thirty or forty years ago.
And when those systems were originally built, many manufacturers simply didn’t think about cybersecurity the way we do today. They assumed these systems would always remain isolated. In reality, that kind of isolated operation hardly exists anymore. There’s almost always some form of connectivity.
That’s where safety and security often come into conflict.
Laura Kaltenbrunner: Cybersecurity doesn’t stop at national borders. How does international cooperation work?
Robert Schischka: Without international cooperation, CERTs simply couldn’t function.
When we started, we benefited greatly from the University of Vienna already being active in several international communities. We also had an excellent relationship with colleagues in Switzerland. Their organizational structure was very similar to ours, and they essentially opened many doors for us.
Today, we rely on automated intelligence feeds, real-time communication with colleagues, and numerous information-sharing platforms. I personally coordinate one exchange platform for the financial sector, helped establish similar initiatives for the energy sector, and participate in several international communities.
Beyond those formal structures, however, there are also informal networks. Sometimes someone simply thinks of you and says, “Something just happened that might be relevant for Austria."
Of course, you can’t plan for that. New incidents don’t arrive every Monday morning. They usually show up on Friday evening instead.
And sometimes you spend days preparing for a major crisis—and nothing happens. Then, all of a sudden, the world turns upside down.
Laura Kaltenbrunner: Do you have an example?
Robert Schischka: There was an incident where British Airways forgot to arrange visas for a group of passengers.
The travelers weren’t allowed to leave the airport. That eventually triggered a major social media backlash in Turkey, which escalated into cyberattacks targeting both the airport and the Austrian National Bank.
I’m fairly certain that nobody had a scenario like that in their risk assessment. And those are often the most fascinating incidents—the ones nobody saw coming.
Laura Kaltenbrunner: Looking ahead, what positive developments are you currently watching with the greatest interest?
Robert Schischka: That’s a difficult question—it’s not exactly easy to be optimistic at the moment.
What I do see, however, is that awareness of cybersecurity has increased significantly. Organizations are taking the topic much more seriously than they used to. Compliance requirements certainly play a role here, especially because many regulations now hold executive management personally accountable.
There was a time when many organizations preferred to push IT security aside. Particularly with cloud services, people often assumed they could simply outsource responsibility.
Today, it’s becoming increasingly clear that responsibility cannot be delegated. Security matters. And organizations also need to invest in security awareness.
The downside is that awareness has a limited shelf life. At the same time, attackers continue to improve—especially with the support of artificial intelligence.
Laura Kaltenbrunner: Many current discussions revolve around AI. Is it fundamentally changing the threat landscape?
Robert Schischka: In practice, we’re still often far away from the deepfakes and AI-generated attacks people like to talk about. In many cases, attackers don’t even need them.
Simply telling a convincing story, putting someone under pressure, and creating a sense of urgency already works remarkably well. Sophisticated AI often isn’t necessary at all.
People are still successfully manipulated over the phone by individuals who are exceptionally well trained in conversation techniques and who operate with a level of confidence most people simply don’t expect.
Whether AI is involved or not, one thing remains true: awareness is important, but a healthy communication culture is even more important. Many fraud schemes — such as CEO fraud or business email compromise (BEC) — exploit existing hierarchies within organizations.
The real question for management is therefore: Have I created a culture where employees are encouraged to ask questions? Or does the accountant feel uncomfortable asking whether I really intended to transfer €50,000 to Poland at three o’clock on a Saturday morning?
Personally, I’d be happy if they asked.
Organizations can even establish code words or additional verification procedures. That’s not about mistrust—it’s about recognizing that anyone can become a victim.
Laura Kaltenbrunner: Where do you currently see the biggest threats?
Robert Schischka: We see a growing number of attacks targeting messaging platforms such as WhatsApp. Attackers take over someone’s account and immediately begin contacting people from that person’s contact list. Because the message arrives in a familiar context, it appears trustworthy.
Suddenly you receive a message saying, “Dad, I need money.” Or the classic story: “I’ve lost my phone. This is my temporary number.” A few days later, you’ve forgotten how you originally saved the contact, and the new number suddenly feels legitimate.
The reality is that every one of us can be deceived by a convincing story.
We’re also seeing phishing emails and phone calls of a quality that simply didn’t exist a few years ago.
Colleagues in Finland used to say they rarely encountered convincing phishing emails written in proper Finnish. That is no longer true. Native speakers, AI, and modern translation tools have dramatically improved the quality of these attacks. We’ve even seen cases where victims received calls in a perfect Styrian dialect, displaying the phone number of their own local bank branch and the name of an employee who actually works there.
We therefore have to accept that we can no longer rely on language, dialect, or even the phone number shown on our display. That brings us back to the importance of asking questions, establishing strong communication processes, and maintaining a healthy degree of skepticism whenever something feels unusual or simply too good to be true. It’s no coincidence that investment fraud has become one of today’s fastest-growing fraud schemes.
Laura Kaltenbrunner: Finally, what message would you like to leave with Austrian organizations?
Robert Schischka: One of the most important things is helping employees understand that the security processes organizations put in place—even the inconvenient ones — exist for a reason.
Employees need to become partners in cybersecurity. And organizations need to establish a culture where mistakes can be discussed openly. Because mistakes will happen. That’s simply unavoidable.
The real objective is something different: when someone makes a mistake, they should immediately contact the security team. If they aren’t publicly blamed, ridiculed, or punished, then you’ve achieved something truly valuable.
You’ve created an environment where people are willing to talk about mistakes — and that’s how organizations improve.
Laura Kaltenbrunner: That sounds very similar to the philosophy behind CERTs.
Robert Schischka: It really is.
A good example comes from the aviation industry. Aviation has achieved remarkable improvements in safety by encouraging countries and manufacturers to openly share information about incidents and near misses.
In some cases, pilots even received legal protection when reporting violations or critical situations. That openness enabled the entire industry to learn.
One example involved a pilot who flew into a thunderstorm against procedure. Investigators discovered that all sensors could ice over simultaneously. That finding ultimately led to improvements that benefited the entire aviation industry.
Those lessons would never have been learned if the pilot’s first concern had been facing criminal prosecution.
The same principle applies to companies — and to CERTs.
Organizations need to create an environment where people are willing to talk about problems. Because in cybersecurity, information and trust remain the two most valuable assets we have.
