The system warned that computers at several provincial police departments were receiving unusual information queries from servers located abroad. Someone seeing this for the first time might be tense and overwhelmed, but for the information technology security officers here, no situation is surprising. Their work rhythm remained undisturbed. Everything was already within their incident response scenarios.

Immediately, a workflow was implemented: isolating suspected infected devices, analyzing traffic data, and comparing it with international and domestic malware samples.

The atmosphere was silent, with only the sound of typing and eyes glued to screens. Every action was carried out smoothly, as if repeated thousands of times. Within minutes, the analysis results appeared: This was a type of malware capable of automatically spreading across internal networks.

Officers at the Computer Network Monitoring Center, H05, Ministry of Public Security, can identify, classify, and handle hundreds of thousands of incidents on a normal workday. Photo: Pham Du

Officers at the Computer Network Monitoring Center, H05, Ministry of Public Security, can identify, classify, and handle hundreds of thousands of incidents on a normal workday. Photo: Pham Du

A coordinated process was immediately activated: The provincial police's specialized information technology force (the provincial Incident Coordination and Response Force) was notified to isolate the local network. Simultaneously, the main firewall control center activated a policy to block all connections to the malicious server.

About 5 minutes later, the local incident was completely contained. The system returned to normal. Local officials continued accessing the system, processing records, and carrying out their work, with public services uninterrupted, unaware that a "battle" had just taken place silently and been smoothly resolved.

Hundreds of thousands of incidents

Senior Lieutenant Colonel Pham Anh Tuan, Deputy Director of the Computer Network Monitoring Center, said computer network incidents can stem from various causes, even a simple error due to careless user actions. For example, the internal computer network of a district-level police unit was accidentally connected to the internet due to user error.

This seemingly small incident could cause data leaks and losses for the sector. The Center's monitoring system immediately triggered an alert. Center staff quickly coordinated with the unit to isolate the computer, ensuring the safety of the entire system because the risk of infection to other computers using the internal network was very high.

The Center's leadership said that previously, H05 would provide remote guidance for local units to handle incidents themselves. But with the operation of the Computer Network Monitoring Center, incidents, even from commune-level police units, are automatically reported and remotely blocked through an automated system for rapid coordination and response.

Senior Lieutenant Colonel Pham Anh Tuan, Deputy Director of the Computer Network Monitoring Center. Photo: Pham Du

Senior Lieutenant Colonel Pham Anh Tuan, Deputy Director of the Computer Network Monitoring Center. Photo: Pham Du

Tuan said there have been many incidents that "seemed small but weren't," where malware could spread to dozens of machines from a single unsecured USB drive. If not detected promptly, the entire internal network of a province could be shut down. These details show that even a small mistake can create a significant risk.

Once, a province reported a widespread network outage. Upon inspection, the Center found the cause was a temporary power failure. However, the entire protocol still had to be followed. "We can't be subjective, because sometimes attackers take advantage of such moments to install malware," he said.

"The response time is measured in minutes, even seconds. If slow, the malware can spread nationwide. All instructions must be precise, clear, and easy to understand, so local units can follow them correctly the first time," a Center officer shared.

Response scenarios are prepared in advance, from blocking malicious domains at the local firewall to disconnecting the infected computer from the network. In more serious situations, the center directly controls the devices, coordinating with local units for thorough handling.

Lieutenant Colonel Nguyen Thi Hai, an officer in the Information Technology and Digital Security Department, said the unit always has scenarios ready to neutralize incidents "within seconds." With its unique characteristics compared to other fields, H05 is responsible for ensuring information security for hundreds of information systems within the Public Security sector.

In the digital age, when information "security" is ensured, command operations can proceed smoothly. She said the "consequences would be extremely serious" if the system were compromised, so all staff must maintain high focus.

Hai briefly mentioned the increasing number and complexity of cyber threats. According to her, attack methods are becoming increasingly sophisticated, targeted, and large-scale, such as APT and ransomware. Moreover, the changing technological environment requires officers like her to constantly "update their brains" and continuously learn to address vulnerabilities that hackers might exploit.

Along with the monitoring system, centralized anti-malware systems have been deployed across the Public Security network, protecting internal information systems. The lieutenant colonel couldn't recall how many information-gathering activities by organizations and individuals "intruding into the internal network of the public security sector" they had detected. The unit has also dismantled many types of dangerous malware, including variants of the Mustang Panda spyware, which collects and encrypts data.

However, all of them, even the most dangerous malware variants, were "repelled at the door," Hai said.

The three-layered firewall

In the 24/7 "bright screen" control room, about 10 officers work in two shifts, responding to hundreds of thousands of unusual situations daily. But when asked about their work, Senior Lieutenant Colonel Pham Anh Tuan simply said, "There's not much to tell."

He shared that the Center is responsible for monitoring the Public Security sector's network security nationwide 24/7; tracking and detecting any unusual signals; classifying incidents from minor suspicions to major attacks; responding, coordinating handling, and developing defense scenarios to address each type of attack.

Some days, the system may record hundreds of thousands of "red alert dots." While this number sounds overwhelming, according to Center staff, not every "red dot" represents a critical case. The monitoring center operates in three layers to filter and classify these incidents.

Officers at the Computer Network Monitoring Center are determined never to miss an incident, even with sleepless nights. Photo: Pham Du

Officers at the Computer Network Monitoring Center are determined never to miss an incident, even with sleepless nights. Photo: Pham Du

In the first layer, officers monitor all unusual signs: an IP address constantly pinging externally, a computer connecting to a domain or IP address on the blacklist, alerts from intrusion detection and malware prevention systems, or a sudden surge in queries. The data is recorded as "information security events."

The second layer analyzes and handles more complex events. They analyze logs, test samples in virtual environments, and compare them with databases. The final, in-depth layer draws conclusions. Here, experts conduct further research, classify the nature of the incident, and add new monitoring policies so the system can automatically identify and handle similar incidents in the future, saving time and human resources.

To enhance network security activities, H05 is leading the development of a project to improve digital security capabilities for the entire Public Security force. Lieutenant General Duong Van Tinh, Director of the Information Technology Department, provides direct and continuous guidance.

"This is expected to be a comprehensive overview of the current information security status within the public security sector. The project covers everything from policies to personnel, organizational structure, and technology," Hai shared. The project aims to enhance digital security capabilities, proactively prevent threats early and remotely, and be prepared to respond to information security risks within the People's Public Security.

The project also aims to "fundamentally change perceptions" and working methods for proactive adaptation. "This will shift the model from dispersed protection to centralized protection. From reactive incident response to proactive early prediction and warning for effective prevention and response.

The project also aims to plan information security systems following the global trend of Zero Trust - not trusting any person or device without clear verification," the H05 officer shared.

Unlike other crime-fighting fronts, at the Information Technology Department, the pressure doesn't come from individuals with weapons or gunshots. It comes from the fear that if a single "breach" occurs, the entire data system, the operation of the whole sector, and public administrative procedures involving millions of citizens will be at risk.

Therefore, officers, even with sleepless nights, never take their eyes off the screens. "No one complains because everyone understands they are keeping the nationwide system running smoothly," they said.

Protecting network security, for them, is also protecting national security. Though their work is quiet and little-known, they remain the "firewall" with a vital mission, stopping hackers as soon as red dots flicker on the map.

Pham Du - Hai Thu