Republic of Croatia Office of the National Security
Republic of Croatia Office of the National Security Council Croatian Cyber Security Approach and the Role of NSA - Current Situation and Future Plans Multi-country Workshop on Developing National Cyber Security Capacities (TAIEX JHA 59743) Sarajevo, Bosnia and Herzegovina, 6 - 7 April 2016 Dr. Aleksandar Klaić
Agenda: 1. Strengths, Weaknesses, Opportunities, Threats (SWAT) Analysis – Cyber Security Strategy development (2014) • The Role of Croatian NSA in the lessons learned process during the years preceding Strategy development (2004 - 2014) 2. Overview of Croatian National Cyber Security Strategy, main objectives and areas of the Strategy (2014 - 2015) 3. Expectations and Directions (2016 and beyond) 4. Conclusion 2
Strengths • Ratification of Budapest Cybercrime Convention (NN MU 09/02) • National Information Security Programme, 2005 (www. cert. hr/sites/default/files/CCERT-PUBDOC-2005 -04 -110. pdf - in Croatian) • Analysis of the State and Possible Threats to the Public Telecommunications • Office of the National Security Council (UVNS), 2009 - 2010 • Early Warning System On the Internet (SRU@HR) • National CERT, 2011 • Ordinance on the Method and the Terms for the Implementation of the Measures for the Protection of Security and Integrity of the Networks and Services (NN 109/12, 33/13, 126/13 – in Croatian) • HAKOM (NRA), MPPI, UVNS, NCERT (Directive 2009/140/EC, ENISA – 2011 -14) 3
Implementation of Croatian National Information Security Programme enacted in 2005: 4
National CERT Responsibility and International Exchange of Security Incident Information IP address Domain Physical Location Domain Owner 1. Croatian S/H* Providers . hr Croatia (RH) Domestic/Foreign 2. Croatian S/H* Providers . com; . net; . org; … Croatia (RH) Domestic/Foreign 3. Foreign S/H* Providers . hr Out of Croatia Domestic/Foreign 4. Foreign S/H* Providers . com; . net; . org; … Out of Croatia Domestic * S/H = Service or Hosting Red Arrows = Feeds to National CERT Black Arrows = Notifications from National CERT 5 5
National CERT Cyber Security Incidents Statistics in 2014 No. Incident Type 1. 2. 3. Web Defacement Phishing URL Malware URL 4. 5. 6. 7. 8. Number Percentage 389 334 220 36. 00% 31. 00% 21. 00% Denial of Service (Do. S) Spam URL Forbidden Network Activities 25 20 12 0. 04% 0. 03% 0. 02% 0. 01% Command & Control Centres 7 0. 01% … … Other Incidents Persistent Threat (APT) 45 Advanced … 6
Mediation Activities of Croatian NSA - Examples • Croatian Internet Exchange (CIX) – (2009/10) • Not-for-profit service – Academic Sector Computing Centre (SRCE) • Home ADSL – Wi. Fi Routers – (2009/10) • Initiative for more active approach of NRA and ISPs • EU Directive 2009/140/EC on regulatory framework for el. comm. networks and services (Article 13 a) – (2011/12) • Technical Guideline for Minimum Security Measures (ENISA) • Technical Guideline on Reporting Incidents (ENISA) • EU NIS Directive COM(2013) 48 final – (2013 and onwards) • Mediation activities in other sectors (mainly usage of CI) • National Security (LI), Defence (CIP), Financial, Transport, … 7
Weaknesses • Slow acceptance of the data and infrastructure owners’ security responsibilities • Inadequately developed culture of risk management --------------------------------------------------------- • Frequent regulation inconsistency – general, sectoral, EU • New security concepts such as critical infrastructure protection --------------------------------------------------------- • Hierarchical tradition of government administration (silo effect) • Very limited information sharing practises (departmental, sectoral) --------------------------------------------------------- • Lack of education that support virtual society development • Unclear criteria for educational programmes verification 8
Croatian NSA Roles (Legacy) • NSA Oversight Authority • • • Ø Recommendations and initiatives Government sector (Mo. I, Mo. D, …) Industrial Security Programme (FSCs) Reorganization and information sharing initiatives • National Security Policy (Information Security Areas) • Personnel Security, Physical Security, Security of Classified Information, CIS Security, Industrial Security • Financial Sector, Ministry of Health, State Inspection, … • Law Enforcement Agencies / Lawful Interception, Critical Infrastructure, Defence • Telecommunication Sector, Sector of Transport, … Ø National and sectoral security policy harmonisation 9
Opportunities • Social Development • Education and Culture • Economic Development • Development of national capabilities in cyberspace • Interrelation of national & sectoral policies, infrastructures, capabilities and potential products • Support to all economic sectors 10
Croatian NSA Initiatives • Information Sharing initiatives • Academic - Governmental: (Mo. U) NCERT – Mo. I - Mo. D • Governmental: Ministry of Administration (e-Gov) – ZSIS – UVNS • Telecomm Sector: (Ordinance) Ministry – NRA (ISPs) - NCERT • (EU) Digital Agenda • Active role in the Strategy e-Croatia 2020 and Government Information Infrastructure Council (Ministry of Administration) • (EU) Smart Specialization Strategy • Security/Cyber Security area – closely coordinated with National cyber Security Strategy (Ministry of Economy) 11
Threats • Declarative approach to development strategies • Inefficient in transition societies that need reforms and clear development policies • Insufficient awareness of the need and necessity of national capabilities development • Inadequate capacity for public-private partnership • General society goals vs particular objectives of stakeholders • (Inter)national market rules vs national competitiveness • Problem of the society as a whole 12
Cyber Security Strategy • The way how to (within virtual society): • • • Identify societal sectors and subsectors Assess sectoral specifics Do the planning of organisational prerequisites Recognize threat environment Establish comprehensive coordination process • Scope, Requirements, Content, Management • Development Method for the Strategy 13
Cyber Security Strategy Vision • Cyberspace = virtual dimension of the society • Protection of core values of liberty, fairness, transparency and the efficient rule of law • Development of certain capabilities and mutual coordination of all the societal (industrial) sectors • Primarily organizational framework for the range of issues • Croatian National Cyber Security Strategy (CRO, ENG): • Office of the National Security Council (UVNS) – responsible body • More than 30 institutions participated in the Government Interdepartmental Committee for drafting the strategy • Started in April 2014, enacted on 7 October 2015 14
Cyber Space regulation and Security Policy … Gaps: Duty of Diligence -------Awareness & Responsibility Government Security Policy --------Classified / Unclassified Information Protection Sensitive Information Sensitive infrastructure Critical Infrastructure Protection --------National Critical Sectors Duty of Care -------Appropriate Protection Measures 15
Information Security Policy vs Cyber Security Policy • UK – Cyber Essential Scheme: • Boundary firewalls and internet gateways, Secure configuration, Access Control, Malware Protection, Patch Management • Mapping to ISO 27001/02, ISF, HMG, … • US - Framework for Improving Critical Infrastructure Cybersecurity • Mapping to NIST SP 800 -53, ISO 27001, Co. BIT, … • What is the difference between IS and CS policy? Ø Cyber Security Risk vs Information Security Risk, Core Strategic Risk vs Operational Risk Ø Organisational factor in the policy, interdependencies among key policy factors 16
17
In the interpretation of Croatian National Bank it can be easily recognized 1 the duty of care principle (both in relation to e-banking service providers, and in relation to e-banking clients), as well as the duty of diligence principle regarding awareness of the risks in business activities for e-banking service providers. It is the interpretation of non-repudiation criteria from the business point of view and not from technical point of view (core strategic risks vs operational risks). 1 Extract from the interpretation of Croatian National Bank regarding e-banking fraud from May 28, 2014 (http: //www. hnb. hr/-/objasnjenje-hrvatske-narodne-banke-u-povoduzanimanja-javnosti-za-pitanja-vezana-uz-zloporabu-usluge-elektronickog-bankarst-1 , in Croatian) “. . . according to the law the bank is accountable to prove that an authentication of the payment transaction was done, that the transaction was correctly registered and accounted, and that the realization of the payment transaction was not influenced by a technical failure or any other deficiency. However, it is prescribed that the fact that an ebanking service provider has recorded the usage of payment instrument is not necessarily enough in order to prove that the payer (e-banking client) authorized that payment transaction, or that the payer proceeded fraudulently, or that the payer on purpose or due to extreme negligence has not fulfilled one or more of its obligations. . . ” 18
Information Security Policy vs Cyber Security Policy • What else is the difference between IS and CS policy? Ø Cyber Security Risk vs Information Security Risk, Strategic Risk vs Operational Risk Ø Organisational factor in the policy, and the interdependencies among key policy factors Core * Systemic Security Management: ICIIP/ISACA 19
20
The Method for the Elaboration of Strategy and Action Plan: 21
The Main Elements of Croatian Strategy: 22
Correlation of the Strategy and Action Plan • Strategy: • VISION is defined with 8 GENERAL GOALS • 5 AREAS and 4 INTERRELATIONS with 35 SPECIFIC OBJECTIVES • Action Plan: • 35 SPECIFIC OBJECTIVES are elaborated with 77 MEASURES • Objectives & measures harmonised by Interdepartmental Committee • Areas & Interrelations marked with red colour are covered by most of the measures: • (B) Gov. Infrastructure, (D) Critical Infrastructure & Crises Management, (I) Education, Security Awareness, R&D Areas and Interrelations 5+4 A B C D E F G H I Specific Objectives 35 3 3 2 5 5 5 3 6 3 Measures 77 3 8 4 13 5 6 27 23
Levels for the Strategy Planning Process Strategic Level Tactical Level Planning Implementation Strategies and National Policies Sectoral Policies Harmonisation Operational and Technical Level Enforcement Information Sharing, Incident Treatment, … 24
Covered Levels In the Initial Documents 25
Stakeholders & Strategy Implementation Management National Council for Cyber Security Operational and Technical Cyber Security Coordination Group Other Institutions – Stakeholders in the Strategy & Action Plan 26
Conclusion • Cyber Security (CS) – comprehensive societal approach is needed (cyber risks treated as core strategic risks), complex organizational issue • Information Sharing - Why it is so hard? • Among peer organizations (trust) • Inside a heterogeneous system of entities (trust & knowledge) • The role of NSA – security policy planning & oversight purview combined with proactive security policy approach • „Ideal candidate” for coordination and mediation of cyber strategy issues • Classified Information vs Sensitive/Protected Information • National CS strategy – nation-wide policy („shallow”) • Specialized CS strategies – narrow sectoral policies („deep”) that rely on the national strategy (typically intelligence and military aspects) 27
Thank You ! ? Aleksandar Klaić, Ph. D. Assistant Director for Information Security aleksandar. klaic@uvns. hr Office of the National Security Council tel. +385. 1. 4681 222 fax. +385. 1. 4686 049 www. uvns. hr 28
- Slides: 28