Office of the National Security Council Republic of Croatia Cyber Security, Cyber Defence and Cyber Operations - National Framework and International Cooperation - RACVIAC: Building a Cyber Resilient Society in South-Eastern Europe – Advanced Training Course, Supported by The NATO Science for Peace and Security Programme Zagreb, 17 October 2016 Dr. sc. Aleksandar Klaić
2 1.Global trends and developments in Cyberspace - Situational awareness 2.Cyber Terms & Definitions – Taxonomy 3.Information Security Policy vs Cyber Security Policy 4.National Cyber Security Strategy Framework – Croatian Example 5.Conclusion Table of Contents:
3 NATO Warsaw Summit July Communique „… recognise cyberspace as a domain of operations in which NATO has to defend itself as effectively as it does in the air, on land, and at the sea …” Baseline Requirements for National Resilience Security implications of energy supply and national critical infrastructure... Actual Cyberspace Related Trends in NATO
4 Cybersecurity Strategy of the EU: An Open, Safe and Secure Cyberspace, 7 February 2013 NIS Directive (EU) 2016/1148, 6 July 2016 eIDAS Regulation (EU) No 910/2014 A Digital Single Market Strategy for Europe, May 2015 GDPR Regulation (EU) 2016/679, 27 April 2016 GDPR Directive (EU) 2016/680, 27 April 2016 Contractual Public Private Partnership on Cybersecurity Actual Cyberspace Related Trends in EU
5 Opinion - Council of EU, July 2013, 12109/13 „... international law, including international conventions such as the Council of Europe Convention on Cybercrime (Budapest Convention) and relevant conventions on international humanitarian law and human rights, such as the International Covenant on Civil and Political Rights, the International Covenant on Economic, Social and Cultural Rights provide a legal framework applicable in cyberspace. Efforts should therefore be made to ensure that these instruments are upheld in cyberspace; therefore the EU does not call for the creation of new international legal instruments for cyber issues,...” UN, OECD, OSCE – Regionally targeted initiatives Meridian process (CIIP) International Chamber of Commerce ICC Cyber Security Guide for Business International Cyberspace Related Trends
6 Internet and all connected communication and information systems Infrastructure and data People ? Cyberspace = virtual dimension of the society Cyberspace
7 Capacitation and mutual coordination of all societal sectors Protection of core values of liberty, fairness, transparency and the efficient rule of law Primarily organizational issues Societal sectors (public, academic, economic, citizens) Sectoral cyber security stakeholders with different understanding of cyber issues, different competences, responsibilities, tasks, needs, expectations, interest, … Cyber Security
8 NATO CCD COE NIST Cyber Security: „Preservation of confidentiality, integrity and availability of information in the Cyberspace.” ISO/IEC 27032:2012 Information technology — Security techniques — Guidelines for cybersecurity ISO/IEC 27032:2012 Information technology — Security techniques — Guidelines for cybersecurity „The ability to protect or defend the use of cyberspace from cyber attacks.” NIST US Department of Commerce: Glossary of Key Information Security Terms NIST US Department of Commerce: Glossary of Key Information Security Terms Cyber Operations: The employment of cyber capabilities with the primary purpose of achieving objectives in or by the use of cyberspace. Tallinn Manual on the International Law Applicable to Cyber Warfare Tallinn Manual on the International Law Applicable to Cyber Warfare Cyber Terms & Definitions
9 Cyber Defence: Represents the part of the defence strategy falling under the responsibility of the ministry in charge of defence issues: Croatian Cyber Security Strategy (2015)Croatian Cyber Security Strategy (2015) Refers to all measures to defend cyber space with military and appropriate means for achieving military-strategic goals. Cyber defence is an integrated system, comprising the implementation of all measures relating to ICT and information security, the capabilities of milCERT and CNO (Computer Network Operations) as well as the support of the physical capabilities of the army: Austrian Cyber Security Strategy (2013)Austrian Cyber Security Strategy (2013) The set of all technical and non-technical measures allowing a State to defend in cyberspace information systems that it considers to be critical. Source: Information Systems and Defence – France’s Strategy (2011)Information Systems and Defence – France’s Strategy (2011) Cyber Terms & Definitions
10 Hierarchical domain taxonomy comprised of vocabulary (terms), definitions of terms (concepts) and relations to other concepts I.Cyberspace Virtual Part of the Society II.Cyber Security National Cyber Security Strategy (NCSS) III. Cyber Crime NCSS, Criminal Code, … III. CIIP CIP, NCSS III. Cyber Defence Military Doctrine III. Cyber Espionage Separate Strategy/policy III. Cyber Terrorism Separate Strategy/policy III.... Cyber Taxonomy …
11 National CERT Responsibility and International Exchange of Security Incident Information 11 IP addressDomainPhysical LocationDomain Owner 1.Croatian S/H* Providers.hrCroatia (RH)Domestic/Foreign 2.Croatian S/H* Providers.com;.net;.org; …Croatia (RH)Domestic/Foreign 3.Foreign S/H* Providers.hrOut of CroatiaDomestic/Foreign 4.Foreign S/H* Providers.com;.net;.org; …Out of CroatiaDomestic * S/H = Service or Hosting Red Arrows = Notifications/Feeds to National CERT Blue Arrows = Notifications from National CERT Early Warning Direct Functional and Sectoral Approach Incident Handling Analysis and Forensics Information Sharing Situational Awareness
12 CERT = CSIRT Public Sector: National, Governmental, Departmental, … Private Sector Abuse Teams, SOC / CSOC, … Economic Sectors/Regulators ISACs (Information Sharing and Analysis Centres) Subsidiarity principle National Coordination Sub-national Scope of Operation (Gov, Dept, Sector, Company, …) Intelligence analysis trend CERT Taxonomy …
13 From Information Security to Cyber Security
14 UK – Cyber Essential Scheme: Boundary firewalls and internet gateways, Secure configuration, Access Control, Malware Protection, Patch Management Mapping to ISO 27001/02, ISF, HMG - Gov security Policy, … US - Framework for Improving Critical Infrastructure Cybersecurity Mapping to NIST SP800-53, ISO 27001, CoBIT, … Cyber Security Policy vs Information Security Policy
15 Cyber Security Risk vs Information Security Risk Core Strategic Risk vs Operational Risk Company Management Board vs IT Department Classified Information - Head of Gov. body Organisational (key) factor in the policy Plus: People / Process / Technology Interdependencies among four key policy factors What is the difference between IS and CS policy?
16 Baseline Procedures / Risk Management Information Centric / Value Centric Protected Information (Regulation) Classified Information Unclassified Information, Limite, FOUO, … Personal Data Intellectual property Trade Secret Sensitive Information / infrastructure? Security Policy
17 Cyber Space regulation and Security Policy … Gaps: Critical Infrastructure Protection National Critical Sectors Government Security Policy Classified / Unclassified Information Protection Sensitive Information Sensitive infrastructure Duty of Diligence Awareness & Responsibility Duty of Care Appropriate Protection Measures
18 Security of the Virtual Dimension of Society 18 SECURITY TRUST Communication Cooperation New Emerging Threats Information Sharing e-Government Public Electornic Services CIP / CIIP Security Awareness and Education
19 Implementa- tion of Croatian National Information Security Programme enacted in 2005:
20 The Main Elements of Croatian Strategy:
21 The Method for the Elaboration of Strategy and Action Plan:
22 Correlation of the Strategy and Action Plan Strategy: VISION is defined with 8 GENERAL GOALS 5 AREAS and 4 INTERRELATIONS with 35 SPECIFIC OBJECTIVES Action Plan: 35 SPECIFIC OBJECTIVES are elaborated with 77 MEASURES Areas & Interrelations marked with red colour are covered by most of the measures: (B) Gov. Inf. Infrastructure, (D) Critical Inf. Infrastructure & Crises Management, (I) Education, Security Awareness, R&D Areas and Interrelations 5+4ABCDEFGHI Specific Objectives Measures
23 Strategic Level Planning Strategies and National Policies Tactical Level Implementation Sectoral Policies Harmonisation Operational and Technical Level Enforcement Information Sharing, Incident Treatment, … Levels for the Strategy Planning Process
24 Covered Levels In the Initial Documents Strategy and Action Plan (10/2015) Interdepartmental Bodies (06/2016) Further enhancements on the basis of the regular yearly control and 3-years period of the Strategy revision
25 Stakeholders & Strategy Implementation Management National Council for Cyber Security (Representatives from 16 institutions headed by the Office of the National Security Council, Government Decision in the Official Gazette 61/2016) National Council for Cyber Security (Representatives from 16 institutions headed by the Office of the National Security Council, Government Decision in the Official Gazette 61/2016) Other Institutions – Stakeholders in the Strategy & Action Plan, societal sectors in general Operational and Technical Cyber Security Coordination Group (Representatives from 8 institutions headed by MoI) Operational and Technical Cyber Security Coordination Group (Representatives from 8 institutions headed by MoI) EU NIS Cooperation Group National Single Point of Contact, CSIRTs Network National Competent Authorities, other requirements NIS Directive Correlation
26 Cyberspace virtual dimension of the society Cyber Security trust for economy development Cyber Taxonomy Terms, definitions, relations Cyber Security Strategy / Policy National / institutional Frameworks for cooperation in virtual dimension of the society – organisational factor Conclusion
27 Aleksandar Klaić, Ph.D. Assistant Director for Information Security Office of the National Security Council Croatian NSA/DSA tel ; fax Thank You ! ?