1 / 28

Croatian Cyber Security Approach and the Role of NSA - Current Situation and Future Plans -

Croatian Cyber Security Approach and the Role of NSA - Current Situation and Future Plans - Multi-country Workshop on Developing National Cyber Security Capacities ( TAIEX JHA59743 ) Sarajevo, Bosnia and Herzegovina, 6 - 7 April 2016. Dr. Aleksandar Klaić. Agenda:.

arlene
Download Presentation

Croatian Cyber Security Approach and the Role of NSA - Current Situation and Future Plans -

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Croatian Cyber Security Approach and the Role of NSA - Current Situation and Future Plans - Multi-country Workshop on Developing National Cyber Security Capacities (TAIEX JHA59743) Sarajevo, Bosnia and Herzegovina, 6 - 7 April 2016 Dr. Aleksandar Klaić

  2. Agenda: • Strengths, Weaknesses, Opportunities, Threats (SWAT) Analysis – Cyber Security Strategy development (2014) • The Role of CroatianNSA in the lessons learned process during the years preceding Strategy development (2004-2014) • Overview of Croatian National Cyber Security Strategy, main objectives and areas of the Strategy (2014-2015) • Expectations and Directions (2016 and beyond) • Conclusion

  3. Strengths • Ratification of Budapest Cybercrime Convention (NN MU 09/02) • National Information Security Programme, 2005 (www.cert.hr/sites/default/files/CCERT-PUBDOC-2005-04-110.pdf - in Croatian) • Analysis of the State and Possible Threats to the Public Telecommunications • Office of the National Security Council (UVNS), 2009 - 2010 • Early Warning System On the Internet (SRU@HR) • National CERT, 2011 • Ordinance on the Method and the Terms for the Implementation of the Measures for the Protection of Security and Integrity of the Networks and Services (NN 109/12, 33/13, 126/13 – in Croatian) • HAKOM (NRA), MPPI, UVNS, NCERT (Directive 2009/140/EC, ENISA – 2011-14)

  4. Implementa-tion of Croatian National Information Security Programme enacted in 2005:

  5. National CERT Responsibility and International Exchange of Security Incident Information * S/H = Service or Hosting Red Arrows = Feeds to National CERT Black Arrows = Notifications from National CERT

  6. National CERT Cyber Security Incidents Statistics in 2014 Advanced Persistent Threat (APT)

  7. Mediation Activities of Croatian NSA - Examples • Croatian Internet Exchange (CIX) – (2009/10) • Not-for-profit service – Academic Sector Computing Centre (SRCE) • Home ADSL – WiFi Routers – (2009/10) • Initiative for more active approach of NRA and ISPs • EU Directive 2009/140/EC on regulatory framework for el. comm. networks and services (Article 13a) – (2011/12) • Technical Guideline for Minimum Security Measures (ENISA) • Technical Guideline on Reporting Incidents (ENISA) • EU NIS Directive COM(2013) 48 final – (2013 and onwards) • Mediation activities in other sectors (mainly usage of CI) • National Security (LI), Defence (CIP), Financial, Transport, …

  8. Weaknesses • Slow acceptance of the data and infrastructure owners’ security responsibilities • Inadequately developed culture of risk management ------------------------------------------------------------------------------------------------------------------ • Frequent regulation inconsistency – general, sectoral, EU • New security concepts such as critical infrastructure protection ------------------------------------------------------------------------------------------------------------------ • Hierarchical tradition of government administration (silo effect) • Very limited information sharing practises (departmental, sectoral) ------------------------------------------------------------------------------------------------------------------ • Lack of education that support virtual society development • Unclear criteria for educational programmes verification

  9. Croatian NSA Roles (Legacy) • NSA Oversight Authority • Recommendations and initiatives • Government sector (MoI, MoD, …) • Industrial Security Programme (FSCs) • Reorganization and information sharing initiatives • National Security Policy (Information Security Areas) • Personnel Security, Physical Security, Security of Classified Information, CIS Security, Industrial Security • Financial Sector, Ministry of Health, State Inspection, … • Law Enforcement Agencies / Lawful Interception, Critical Infrastructure, Defence • Telecommunication Sector, Sector of Transport, … • National and sectoral security policy harmonisation

  10. Opportunities • Social Development • Education and Culture • Economic Development • Development of national capabilities in cyberspace • Interrelation of national & sectoral policies, infrastructures, capabilities and potential products • Support to all economic sectors

  11. Croatian NSA Initiatives • Information Sharing initiatives • Academic - Governmental: (MoU) NCERT – MoI - MoD • Governmental: Ministry of Administration (e-Gov) – ZSIS – UVNS • Telecomm Sector: (Ordinance) Ministry – NRA (ISPs) - NCERT • (EU) Digital Agenda • Active role in the Strategy e-Croatia 2020 and Government Information Infrastructure Council (Ministry of Administration) • (EU) Smart Specialization Strategy • Security/Cyber Security area – closely coordinated with National cyber Security Strategy (Ministry of Economy)

  12. Threats • Declarative approach to development strategies • Inefficient in transition societies that need reforms and clear development policies • Insufficient awareness of the need and necessity of national capabilities development • Inadequate capacity for public-private partnership • General society goals vs particular objectives of stakeholders • (Inter)national market rules vs national competitiveness • Problem of the society as a whole

  13. Cyber Security Strategy • The way how to (within virtual society): • Identify societal sectors and subsectors • Assess sectoral specifics • Do the planning of organisational prerequisites • Recognize the threat environment • Establish comprehensive coordination process • Scope, Requirements, Content, Management • Development Method for the Strategy

  14. Cyber Security Strategy Vision • Cyberspace = virtual dimension of the society • Protection of core values of liberty, fairness, transparency and the efficient rule of law • Development of certain capabilities and mutual coordination of all the societal (industrial) sectors • Primarily organizational framework for the range of issues • Croatian National Cyber Security Strategy (CRO, ENG): • Office of the National Security Council (UVNS) – responsible body • More than 30 institutions participated in the Government Interdepartmental Committee for drafting the strategy • Started in April 2014, enacted on 7 October 2015

  15. Duty of Diligence --------------- Awareness & Responsibility Cyber Space regulation and Security Policy …Gaps: Government Security Policy ----------------- Classified / Unclassified Information Protection Critical Infrastructure Protection ----------------- National Critical Sectors Sensitive Information Sensitive infrastructure Duty of Care --------------- Appropriate Protection Measures

  16. Information Security Policy vs Cyber Security Policy • UK – Cyber Essential Scheme: • Boundary firewalls and internet gateways, Secure configuration, Access Control, Malware Protection, Patch Management • Mapping to ISO 27001/02, ISF, HMG, … • US - Framework for Improving Critical Infrastructure Cybersecurity • Mapping to NIST SP800-53, ISO 27001, CoBIT, … • What is the difference between IS and CS policy? • Cyber Security Risk vs Information Security Risk, Core Strategic Risk vs Operational Risk • Organisational factor in the policy, interdependencies among key policy factors

  17. In the interpretation of Croatian National Bank it can be easily recognized1 the duty of care principle (both in relation to e-banking service providers, and in relation to e-banking clients), as well as the duty of diligence principle regarding awareness of the risks in business activities for e-banking service providers. It is the interpretation of non-repudiation criteria from the business point of view and not from technical point of view (core strategic risks vs operational risks). 1Extract from the interpretation of Croatian National Bank regarding e-banking fraud from May 28, 2014 (http://www.hnb.hr/-/objasnjenje-hrvatske-narodne-banke-u-povodu-zanimanja-javnosti-za-pitanja-vezana-uz-zloporabu-usluge-elektronickog-bankarst-1 , in Croatian) “. . . according to the law the bank is accountable to prove that an authentication of the payment transaction was done, that the transaction was correctly registered and accounted, and that the realization of the payment transaction was not influenced by a technical failure or any other deficiency. However, it is prescribed that the fact that an e-banking service provider has recorded the usage of payment instrument is not necessarily enough in order to prove that the payer (e-banking client) authorized that payment transaction, or that the payer proceeded fraudulently, or that the payer on purpose or due to extreme negligence has not fulfilled one or more of its obligations . . .”

  18. Information Security Policy vs Cyber Security Policy • What else is the difference between IS and CS policy? • Cyber Security Risk vs Information Security Risk, Core Strategic Risk vs Operational Risk • Organisational factor in the policy, and the interdependencies among key policy factors * SystemicSecurity Management: ICIIP/ISACA

  19. The Method for the Elaboration of Strategy and Action Plan:

  20. The Main Elements of Croatian Strategy:

  21. Correlation of the Strategy and Action Plan • Strategy: • VISION is defined with 8 GENERAL GOALS • 5 AREAS and 4 INTERRELATIONS with 35 SPECIFIC OBJECTIVES • Action Plan: • 35 SPECIFIC OBJECTIVES are elaborated with 77 MEASURES • Objectives & measures harmonised by Interdepartmental Committee • Areas & Interrelations marked with red colour are covered by most of the measures: • (B) Gov. Inf. Infrastructure, (D) Critical Inf. Infrastructure & Crises Management, (I) Education, Security Awareness, R&D

  22. Levels for the Strategy Planning Process

  23. Covered Levels In the Initial Documents

  24. Stakeholders & Strategy Implementation Management National Council for Cyber Security Operational and Technical Cyber SecurityCoordination Group Other Institutions – Stakeholders in the Strategy & Action Plan

  25. Conclusion • Cyber Security (CS) – comprehensive societal approach is needed (cyber risks treated as core strategic risks), complex organizational issue • Information Sharing - Why it is so hard? • Among peer organizations (trust) • Inside a heterogeneous system of entities (trust & knowledge) • The role of NSA – security policy planning & oversight purview combined with proactive security policy approach • „Ideal candidate” for coordination and mediation of cyber strategy issues • Classified Information vs Sensitive/Protected Information • NationalCS strategy – nation-wide policy („shallow”) • SpecializedCS strategies – narrow sectoral policies („deep”) that rely on the national strategy (typically intelligence and military aspects)

  26. Thank You !? Aleksandar Klaić, Ph.D. Assistant Director for Information Securityaleksandar.klaic@uvns.hr Office of the National Security Counciltel. +385.1.4681 222fax. +385.1.4686 049www.uvns.hr

More Related