An Approach to defining
the Scope and the Method
for Cyber Security Strategy
Development
Aleksandar Klaic, Ph.D.
Office of the National Security Council,
Croatia
Subjects
1. Cyber Space and the Scope of
Strategy
2. A Method for Cyber Security Strategy
Development
3. Cyber Security in Croatia, National
Strategy Drafting Process
Cyber Space - Importance
• Internet vs Cyber Space
– Dial-up, Broadband, Cloud SaaS, PaaS, IaaS …
– PSTN, ATM, IP, VoIP, IP TV, Triple Play, …
• Societal necessity
– Citizens
– Business
– Government
• New dimension of our living
Virtual Dimension of the Society • Vision / Final Goal
• . . . to derive huge economic and social value
from a vibrant, resilient and secure cyberspace,
where our actions, guided by our core values of
liberty, fairness, transparency and the rule of
law, enhance prosperity, national security and a
strong society.
• Implementation of the laws and regulations
within the new virtual dimension of the society –
cyber space.
• . . .
How to achieve this goal?
• Identification of Societal
Sectors/Subsectors
• Assessment of Sectoral specifics
• Implementation of Organisational
prerequisites
• Assessment of Threat Environment
• Coordination and Management Process
Identification of Societal Sectors • Government, Business, Citizens
– Academic Sector
– Functional areas (Cyber -Crime, -Terrorism, -Defence …)
• Communication and Inf. Infrastructure
– Public telecommunications, Gov. infrastructure
– Critical (Information) Infrastructure (CI, CII)
– Sensitive Categories of Information, Critical National
Electronic Registers, …
• e- Services
– e-Government, e-Banking, e-Commerce, …
Assessment of Sectoral Specifics
• Sectoral laws & regulations
– Responsible institutions
– Sensitive information & information sharing
• International requirements
– Implemented Initiatives
• Intersectoral and national initiatives
– Coordination, Inf. Sharing, Education, …
Organisational Prerequisites
• National Regulatory Authorities (Telecom,
Banking, Data Protection, …) - sectoral
• National CERT/CSIRT – public/national
• NSA, e-Gov, CA… - government/public
• Responsible bodies within CI/CII Sectors
• (Cyber) Crisis Management - government
• Functional areas – responsible bodies
– Cyber: Crime, Terrorism, Defence policy …
Threat Environment
• Shared:
– Cyber Space Environment
• Cyber Threats
• Specifics of national infrastructure,
organization, geopolitical situation, …
• Different Exposure to Risk
– Targeted threats
– National specifics (infrastructure, regional
specifics, economy, …)
Comprehensive Coordination
and Management Process
• Decision Making level
– Strategic decisions
– Crisis Management decisions
• Policy Planning level
– Harmonisation of sectoral policies
• Necessity of having adequate policies in functional areas
• Operational and technical level
– Security incidents treatment, information sharing
Cyber Security Strategy
• The way how to:
– Identify societal sectors and subsectors
– Assess sectoral specifics
– Planning of organisational prerequisites
– Recognize the threat environment
– Establish comprehensive coordination process
• Scope, Content, Requirements, Organization
A Method for Cyber Security
Strategy Development
• Huge scope
• Complex, heterogeneous and mutually
interrelated content
• Requirements drawn from government and
business side of certain sector/subsector
• Coordination and Management rely on
organizations from different sectors
Laws & Regulations in Cyber Space
The Basic Strategy Elements
• Goals:
– Comprehensive approach, education,
awareness, …
• Societal Sectors:
– Government, Academic, Business, Citizens
• Main principles:
– Proactiveness, subsidiarity, proportionality,
integration, …
Cyber Security Areas/Interrelations • Cyber Security Areas (the main recognized)
– Identifying objectives in order to reach the goals of the
Strategy
– Refer to all of the societal sectors defined, stick to the
main principles
• Interrelations among Cyber Security Areas
(functional requirements)
– Identifying objectives in order to reach the needs of
related Cyber Security Areas
– Refer to all of the societal sectors defined, stick to the
main principles
Correlation Between the
Strategy and the Action plan
• Cyber Security Strategy
– Cyber Security Areas/Interrelations
• identified objectives (description)
• Action Plan
– Elaboration of measures for:
• Each cyber security area/interrelation:
– Each identified objective (elaboration)
» Set of measures (one or more)
Illustration of the proposed Method
Cyber Security in Croatia
• National Information Security Programme,
March 2005
– http://www.cert.hr/sites/default/files/CCERT-
PUBDOC-2005-04-110.pdf (in Croatian)
• Public Telecommunication Threats
Assessment (2010)
• Guideline on the Protection of Security
and Integrity of Networks and Services
– www.nn.hr (NN 109/2012, in Croatian)
http://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdfhttp://www.nn.hr/
National Inf. Sec. Programme (2005)
National Cyber Security Strategy
Drafting Process in Croatia
• Government Decision, April 2014
• UVN is coordinating and responsible body
• Interdepartmental Committee
– 20+ institutions with their representatives
– 9 specialized Working Groups (30+ institutions)
• Strategy + Action Plan
• Public discussion planned for April 2015
National Cyber Security Strategy Drafting
Process in Croatia
Action Plan – Identified Measures • Strategy = Vision
• Vision = 8 General Goals on Strategy Level
• 5 Areas + 4 Interrelations = 35 Objectives
• 35 Objectives = 78 Measures
Chapters
A B C D E F G H I
Areas 9 CSA1 CSA2 CSA3 CSA4 CSA5 IoA1 IoA2 IoA3 IoA4
Objectives 35 3 3 2 5 5 5 3 6 3
Measures 78 3 8 4 13 5 6 5 6 28
Thank You !
dr. sc. Aleksandar Klaić, dipl.ing.el. Assistant Director for Information Security
Office of the National Security Council
Croatian NSA/DSA
tel. +385.1.4681 222
fax. +385.1.4686 049
www.uvns.hr
mailto:[email protected]:[email protected]://www.uvns.hr/