Presentation is loading. Please wait.

Presentation is loading. Please wait.

Office of the National Security Council Republic of Croatia Croatian Cyber Security Approach and the Role of NSA - Current Situation and Future Plans -

Published byLee Hampton Modified over 8 years ago

Similar presentations

Presentation on theme: "Office of the National Security Council Republic of Croatia Croatian Cyber Security Approach and the Role of NSA - Current Situation and Future Plans -"— Presentation transcript:

1 Office of the National Security Council Republic of Croatia Croatian Cyber Security Approach and the Role of NSA - Current Situation and Future Plans - Multi-country Workshop on Developing National Cyber Security Capacities (TAIEX JHA59743) Sarajevo, Bosnia and Herzegovina, 6 - 7 April 2016 Dr. Aleksandar Klaić

2 2 1.Strengths, Weaknesses, Opportunities, Threats (SWAT) Analysis – Cyber Security Strategy development (2014) The Role of Croatian NSA in the lessons learned process during the years preceding Strategy development (2004 - 2014) 2.Overview of Croatian National Cyber Security Strategy, main objectives and areas of the Strategy (2014 - 2015) 3.Expectations and Directions (2016 and beyond) 4.Conclusion Agenda:

3 3 Ratification of Budapest Cybercrime Convention ( NN MU 09/02 ) NN MU 09/02 National Information Security Programme, 2005 ( www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdf - in Croatian ) www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdf Analysis of the State and Possible Threats to the Public Telecommunications Office of the National Security Council (UVNS), 2009 - 2010 Early Warning System On the Internet ( SRU@HR ) SRU@HR National CERT, 2011 Ordinance on the Method and the Terms for the Implementation of the Measures for the Protection of Security and Integrity of the Networks and Services ( NN 109/12, 33/13, 126/13 – in Croatian ) NN 109/12, 33/13, 126/13 HAKOM (NRA), MPPI, UVNS, NCERT ( Directive 2009/140/EC, ENISA – 2011-14 ) Directive 2009/140/ECENISA2011-14 Strengths

4 4 Implementa- tion of Croatian National Information Security Programme enacted in 2005:

5 5 National CERT Responsibility and International Exchange of Security Incident Information 5 IP addressDomainPhysical LocationDomain Owner 1.Croatian S/H* Providers.hrCroatia (RH)Domestic/Foreign 2.Croatian S/H* Providers.com;.net;.org; …Croatia (RH)Domestic/Foreign 3.Foreign S/H* Providers.hrOut of CroatiaDomestic/Foreign 4.Foreign S/H* Providers.com;.net;.org; …Out of CroatiaDomestic * S/H = Service or Hosting Red Arrows = Feeds to National CERT Black Arrows = Notifications from National CERT

6 6 National CERT Cyber Security Incidents Statistics in 20142014 No.Incident TypeNumberPercentage 1.Web Defacement38936.00% 2.Phishing URL33431.00% 3.Malware URL22021.00% 4.Other Incidents450.04% 5.5.Denial of Service (DoS)250.03% 6.6.Spam URL200.02% 7.7.Forbidden Network Activities120.01% 8.8.Command & Control Centres70.01% ………

7 7 Croatian Internet Exchange (CIX) – (2009/10) Not-for-profit service – Academic Sector Computing Centre (SRCE) Home ADSL – WiFi Routers – (2009/10) Initiative for more active approach of NRA and ISPs EU Directive 2009/140/EC on regulatory framework for el. comm. networks and services (Article 13a) – (2011/12) Technical Guideline for Minimum Security Measures (ENISA) Technical Guideline on Reporting Incidents (ENISA) EU NIS Directive COM(2013) 48 final – (2013 and onwards) Mediation activities in other sectors (mainly usage of CI) National Security (LI), Defence (CIP), Financial, Transport, … Mediation Activities of Croatian NSA - Examples

8 8 Slow acceptance of the data and infrastructure owners’ security responsibilities Inadequately developed culture of risk management ------------------------------------------------------------------------------------------------------------------ Frequent regulation inconsistency – general, sectoral, EU New security concepts such as critical infrastructure protection ------------------------------------------------------------------------------------------------------------------ Hierarchical tradition of government administration (silo effect) Very limited information sharing practises (departmental, sectoral) ------------------------------------------------------------------------------------------------------------------ Lack of education that support virtual society development Unclear criteria for educational programmes verification Weaknesses

9 9 NSA Oversight Authority Recommendations and initiatives Government sector (MoI, MoD, …) Industrial Security Programme (FSCs)  Reorganization and information sharing initiatives National Security Policy (Information Security Areas) Personnel Security, Physical Security, Security of Classified Information, CIS Security, Industrial Security Financial Sector, Ministry of Health, State Inspection, … Law Enforcement Agencies / Lawful Interception, Critical Infrastructure, Defence Telecommunication Sector, Sector of Transport, …  National and sectoral security policy harmonisation Croatian NSA Roles (Legacy)

10 10 Social Development Education and Culture Economic Development Development of national capabilities in cyberspace Interrelation of national & sectoral policies, infrastructures, capabilities and potential products Support to all economic sectors Opportunities

11 11 Information Sharing initiatives Academic - Governmental: (MoU) NCERT – MoI - MoD Governmental: Ministry of Administration (e-Gov) – ZSIS – UVNS Telecomm Sector: (Ordinance) Ministry – NRA (ISPs) - NCERT (EU) Digital Agenda Active role in the Strategy e-Croatia 2020 and Government Information Infrastructure Council (Ministry of Administration) (EU) Smart Specialization Strategy Security/Cyber Security area – closely coordinated with National cyber Security Strategy (Ministry of Economy) Croatian NSA Initiatives

12 12 Declarative approach to development strategies Inefficient in transition societies that need reforms and clear development policies Insufficient awareness of the need and necessity of national capabilities development Inadequate capacity for public-private partnership General society goals vs particular objectives of stakeholders (Inter)national market rules vs national competitiveness Problem of the society as a whole Threats

13 13 The way how to (within virtual society): Identify societal sectors and subsectors Assess sectoral specifics Do the planning of organisational prerequisites Recognize the threat environment Establish comprehensive coordination process Scope, Requirements, Content, Management Development Method for the Strategy Cyber Security Strategy

14 14 Cyber Security Strategy Vision Cyberspace = virtual dimension of the society Protection of core values of liberty, fairness, transparency and the efficient rule of law Development of certain capabilities and mutual coordination of all the societal (industrial) sectors Primarily organizational framework for the range of issues Croatian National Cyber Security Strategy ( CRO, ENG ): CRO ENG Office of the National Security Council (UVNS) – responsible body More than 30 institutions participated in the Government Interdepartmental Committee for drafting the strategy Started in April 2014, enacted on 7 October 2015

15 15 Cyber Space regulation and Security Policy … Gaps: Critical Infrastructure Protection ----------------- National Critical Sectors Government Security Policy ----------------- Classified / Unclassified Information Protection Sensitive Information Sensitive infrastructure Duty of Diligence --------------- Awareness & Responsibility Duty of Care --------------- Appropriate Protection Measures

16 16 UK – Cyber Essential Scheme: Boundary firewalls and internet gateways, Secure configuration, Access Control, Malware Protection, Patch Management Mapping to ISO 27001/02, ISF, HMG, … US - Framework for Improving Critical Infrastructure Cybersecurity Mapping to NIST SP800-53, ISO 27001, CoBIT, … What is the difference between IS and CS policy?  Cyber Security Risk vs Information Security Risk, Core Strategic Risk vs Operational Risk  Organisational factor in the policy, interdependencies among key policy factors Information Security Policy vs Cyber Security Policy

17 17

18 18 1 Extract from the interpretation of Croatian National Bank regarding e-banking fraud from May 28, 2014 (http://www.hnb.hr/-/objasnjenje-hrvatske-narodne-banke-u-povodu- zanimanja-javnosti-za-pitanja-vezana-uz-zloporabu-usluge-elektronickog-bankarst-1, in Croatian)http://www.hnb.hr/-/objasnjenje-hrvatske-narodne-banke-u-povodu- zanimanja-javnosti-za-pitanja-vezana-uz-zloporabu-usluge-elektronickog-bankarst-1 “... according to the law the bank is accountable to prove that an authentication of the payment transaction was done, that the transaction was correctly registered and accounted, and that the realization of the payment transaction was not influenced by a technical failure or any other deficiency. However, it is prescribed that the fact that an e- banking service provider has recorded the usage of payment instrument is not necessarily enough in order to prove that the payer (e-banking client) authorized that payment transaction, or that the payer proceeded fraudulently, or that the payer on purpose or due to extreme negligence has not fulfilled one or more of its obligations...” In the interpretation of Croatian National Bank it can be easily recognized 1 the duty of care principle (both in relation to e-banking service providers, and in relation to e-banking clients), as well as the duty of diligence principle regarding awareness of the risks in business activities for e-banking service providers. It is the interpretation of non-repudiation criteria from the business point of view and not from technical point of view (core strategic risks vs operational risks).

19 19 What else is the difference between IS and CS policy?  Cyber Security Risk vs Information Security Risk, Core Strategic Risk vs Operational Risk  Organisational factor in the policy, and the interdependencies among key policy factors Information Security Policy vs Cyber Security Policy * Systemic Security Management: ICIIP/ISACA

20 20

21 21 The Method for the Elaboration of Strategy and Action Plan:

22 22 The Main Elements of Croatian Strategy:

23 23 Correlation of the Strategy and Action Plan Strategy: VISION is defined with 8 GENERAL GOALS 5 AREAS and 4 INTERRELATIONS with 35 SPECIFIC OBJECTIVES Action Plan: 35 SPECIFIC OBJECTIVES are elaborated with 77 MEASURES Objectives & measures harmonised by Interdepartmental Committee Areas & Interrelations marked with red colour are covered by most of the measures: (B) Gov. Inf. Infrastructure, (D) Critical Inf. Infrastructure & Crises Management, (I) Education, Security Awareness, R&D Areas and Interrelations 5+4ABCDEFGHI Specific Objectives 35332555363 Measures7738413565627

24 24 Strategic Level Planning Strategies and National Policies Tactical Level Implementation Sectoral Policies Harmonisation Operational and Technical Level Enforcement Information Sharing, Incident Treatment, … Levels for the Strategy Planning Process

25 25 Covered Levels In the Initial Documents

26 26 Stakeholders & Strategy Implementation Management National Council for Cyber Security Other Institutions – Stakeholders in the Strategy & Action Plan Operational and Technical Cyber Security Coordination Group Operational and Technical Cyber Security Coordination Group

27 27 Cyber Security (CS) – comprehensive societal approach is needed (cyber risks treated as core strategic risks), complex organizational issue Information Sharing - Why it is so hard? Among peer organizations (trust) Inside a heterogeneous system of entities (trust & knowledge) The role of NSA – security policy planning & oversight purview combined with proactive security policy approach „Ideal candidate” for coordination and mediation of cyber strategy issues Classified Information vs Sensitive/Protected Information National CS strategy – nation-wide policy („shallow”) Specialized CS strategies – narrow sectoral policies („deep”) that rely on the national strategy (typically intelligence and military aspects) Conclusion

28 28 Aleksandar Klaić, Ph.D. Assistant Director for Information Security aleksandar.klaic@uvns.hr aleksandar.klaic@uvns.hr Office of the National Security Council tel. +385.1.4681 222 fax. +385.1.4686 049 www.uvns.hr www.uvns.hr Thank You ! ?

Download ppt "Office of the National Security Council Republic of Croatia Croatian Cyber Security Approach and the Role of NSA - Current Situation and Future Plans -"

Similar presentations

A strategy for a Secure Information Society –

A strategy for a Secure Information Society –
Division: EIDD WTO TBT Workshop on Good Regulatory Practice 18-19 March 2008 Focus on Transparency and Consultation.

Division: EIDD WTO TBT Workshop on Good Regulatory Practice March 2008 Focus on Transparency and Consultation.
Steps towards E-Government in Syria

Steps towards E-Government in Syria
ENISA Cyber Security Strategies Workshop November 27, 2014 Brussels

ENISA Cyber Security Strategies Workshop November 27, 2014 Brussels
The French approach to CIIP ENISA workshop. Coordination of CIP in France ANSSI 2 A cross-ministerial issue The General Secretariat for Defense and National.

The French approach to CIIP ENISA workshop. Coordination of CIP in France ANSSI 2 A cross-ministerial issue The General Secretariat for Defense and National.
AGENCY FOR PREVENTION OF CORRUPTION AND COORDINATION OF FIGHT AGAINST CORRUPTION mr.sci. Vladica Babić - Assisstent.

AGENCY FOR PREVENTION OF CORRUPTION AND COORDINATION OF FIGHT AGAINST CORRUPTION mr.sci. Vladica Babić - Assisstent.
MINISTRY OF NATIONAL DEFENCE REPUBLIC OF POLAND CLASSIFIED INFORMATION PROTECTION DEPARTMENT COL. PIOTR GRZYBOWSKI, Director, Classified Information Protection.

MINISTRY OF NATIONAL DEFENCE REPUBLIC OF POLAND CLASSIFIED INFORMATION PROTECTION DEPARTMENT COL. PIOTR GRZYBOWSKI, Director, Classified Information Protection.
Re silience of C ritical I nfrastructure P rotection in E urope (RECIPE) PhD Robert Mikac, RECIPE Project Manager Head of Sector for Civil Protection,

Re silience of C ritical I nfrastructure P rotection in E urope (RECIPE) PhD Robert Mikac, RECIPE Project Manager Head of Sector for Civil Protection,
Strategy and Policy Unit: Current Activities and Future Tasks

Strategy and Policy Unit: Current Activities and Future Tasks
NIS Directive and NIS Platform

NIS Directive and NIS Platform
The European Railway Agency in development

The European Railway Agency in development
Opportunities & Implications for Turkish Organisations & Projects

Opportunities & Implications for Turkish Organisations & Projects
Legal Framework on Information Security Ministry of Trade, Tourism and Telecommunication Nebojša Vasiljević.

Legal Framework on Information Security Ministry of Trade, Tourism and Telecommunication Nebojša Vasiljević.
1 DEPARTMENT FOR SOCIAL INCLUSION OF PERSONS WITH DISABILITIES REPUBLIC OF CYPRUS MINISTRY OF LABOUR AND SOCIAL INSURANCE Department for Social Inclusion.

1 DEPARTMENT FOR SOCIAL INCLUSION OF PERSONS WITH DISABILITIES REPUBLIC OF CYPRUS MINISTRY OF LABOUR AND SOCIAL INSURANCE Department for Social Inclusion.
EU’s Information Security Expectations Aleksandar Klaić Office of the National Security Council – Croatian National Security Authority (NSA)

EU’s Information Security Expectations Aleksandar Klaić Office of the National Security Council – Croatian National Security Authority (NSA)
Building Capacities for Management of IPRs in Countries in Transition. WIPO Tools. Tbilisi, November 12, 2012 Mr. Michal Svantner, Director, Division for.

Building Capacities for Management of IPRs in Countries in Transition. WIPO Tools. Tbilisi, November 12, 2012 Mr. Michal Svantner, Director, Division for.
BITS Proprietary and Confidential © BITS 2003. Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
ICT business statistics and ICT sector: Uzbekistan’s experience Prepared by Mukhsina Khusanova.

ICT business statistics and ICT sector: Uzbekistan’s experience Prepared by Mukhsina Khusanova.
IAEA International Atomic Energy Agency Overview of legal framework Regional Workshop - School for Drafting Regulations 3-14 November 2014 Abdelmadjid.

IAEA International Atomic Energy Agency Overview of legal framework Regional Workshop - School for Drafting Regulations 3-14 November 2014 Abdelmadjid.
Isdefe ISXXXX-090000-1XX 5.10.2010 Your best ally Panel: Future scenarios for European critical infrastructures protection Carlos Martí Sempere. Essen.

Isdefe ISXXXX XX Your best ally Panel: Future scenarios for European critical infrastructures protection Carlos Martí Sempere. Essen.

Similar presentations

Ads by Google