National Cybersecurity strategy

Lecture 2
Esmiralda Moradian
Learning outcomes

● Understand and discuss the need of NCSS

● Understand objectives and lifecycle of NCSS
● Understand KPI
● Understand/Explain focus areas
Need of NCSS

● The EU economy is affected by cybercrime activities

● Future security depends on the ability to protect against cyber threats
● A failure to protect cyberspace could have catastrophic consequences
Cybersecurity is priority of the UN

● Resolution 55/63
● Resolution 57/239
● Resolution 58/199
● Resolution 64/211
● Resolution 75/240
NCSS

Vision Objectives Priorities

The aim and purpose of NCSS
Aim is to ensure that nations are
• prepared to face serious risks
• aware of their consequences
• equipped to appropriately respond to breaches
The purpose is to
• initiate a systematic national program
• help mitigation of the impact of cyber attacks
• ensure that all relevant stakeholders accept
responsibility for and take steps to enhance
cybersecurity
Guide to developing NCSS

• A strategic framework for a nation’s approach to

cybersecurity
• A high-level, top-down approach
• establishes a range of national objectives and priorities
what should be achieved in a specific timeframe
• A tool to improve the security and resilience of national
infrastructures and services
Lifecycle and
phases of NCSS

Phases are presented in

the nextcomming slides
Identifying the Lead Project Authority
● The development process
– should be coordinated by a single neutral authority (Lead Project
Authority)
• a ministry, agency, or a department, to lead the development
• should be different from the one(s) that will be responsible
for the implementation of the Strategy
● Lead Project Authority should appoint an individual
responsible and accountable for leading the Strategy
development process
Establishing a Steering Committee

● Steering Committee should

– be provide guidance, as well as quality assurance
– guarantee the transparency and inclusiveness of the
process
– may need to review sensitive documents
Identifying stakeholders

● The Lead Project Authority should

– identify an initial set of stakeholders
– clarify the roles of the different stakeholders
– outline how they will collaborate
– may need to include additional stakeholders
Planning the development of the
Strategy
● The Strategy development plan should
– identify the major steps and activities, key stakeholders,
timelines and resource requirements
– specify how and when relevant stakeholders will be expected to
participate in the development process
– identify the human and financial resources needed
Stakeholders and examples of main action points
• Stakeholders
• Executive Branch of Government & Legislative Branch of Government (Parliament)
• Critical Infrastructure Owners and Operators
• The Judiciary & Law Enforcement
• Intelligence Community and Academia
• Vendors
• International Partners
• Citizens
• Some examples of main action points
• Develop standards and norms, legislation
• Protect critical information infrastructure
• Create a culture of security
• Security of services delivered in cyberspace
• Counter national and international criminal activities
• Threat tracking, risk assessment and response
Stocktaking and Analysis

For the NCSS to be effective, it needs to reflect the cybersecurity

posture of the country, therefore
– an analysis of the country’s existing cybersecurity strengths and
weaknesses should be conducted, and
– relevant materials and documents should be consulted in
collaboration with relevant stakeholders across government,
private sector and civil society
Assessing the cyber-risk landscape

Assess the risks

– the identification of national digital assets and their
interdependencies,
– vulnerabilities and threats, and
– an estimation of the likelihood and potential impact of a
cyber-incident
Drafting the NCSS
The NCSS should provide
– the overall cybersecurity direction for the country,
– express a clear vision, scope and objectives,
– identify actions and allocate the required resources to support activities,
– define/confirm the mandate of the different entities responsible for
initiating and developing cybersecurity policies and regulations within the
country,
– define the responsibilities and tasks of the entities responsible for
• collecting threat and vulnerability information,
• responding to cyber-incidents, strengthening preparedness and
performing crisis management
Consulting with a broad range of
stakeholders
● Engage both public and private stakeholders
● Involve specific critical infrastructure owners instead of
allocating responsibilities to a specific sector
● Involve ministries with responsibility for security, safety, crisis
management, existing national CERTs
● Include civil society in executing the strategy
Implementation of NCSS
● Implementation requires engagement and coordination
of a range of different stakeholders across the
government, as well as support from civil society and
the private sector
● Identify initiatives to be implemented will help meet the
NCSS objectives
● Allocating human and financial resources for the
implementation
● Setting timeframes and metrics
Evaluating and maintaining national
cyber security strategy
● Evaluating the national cyber-security strategy means assessing the results of the
activities using a set of objective performance metrics
● Maintaining the national cyber-security strategy means taking corrective and
preventive actions based on the evaluation results in order to achieve the objectives of
the strategy
● Key performance indicators or metrics should be SMART:
– Specific;
– Measurable;
– Achievable;
– Responsible;
– Time-related

● Examples of key objectives and KPIs are

– Achieving cyber resilience
– Secure critical information infrastructure
Focus areas

● Governance
● Risk management in national cybersecurity
● Preparedness and resilience
● Critical Infrastructure services and essential services
● Capability and capacity building and awareness raising
● Legislation and regulation
● International cooperation
Governance

● Ensure the highest level of support

● Establish a competent cybersecurity authority to
provide direction, to coordinate action, and to monitor
the implementation of the Strategy
● Ensure intra-government cooperation
● Ensure inter-sectoral cooperation
● Allocate dedicated budget and resources
● Develop an implementation plan
Develop a clear governance structure
● Define the ultimate responsibility for the management and evaluation of the
strategy, namely assign a cyber security coordinator;
● Define the mandate (roles, responsibilities, processes, decision rights) and
tasks of the advisory body; It includes
– the mandate and tasks of the entities responsible for initiating and
developing cyber-security policy and regulation;
– the mandate and tasks of the entities responsible for collecting threats and
vulnerabilities, responding to cyber attacks, and others; explain how these
interact with and/or contribute to the advisory body.
● Properly analyze and define the role of existing, national cyber security and
incident response teams (CERT) in both public and private sectors
Risk management in national cybersecurity
● Define a risk-management approach
– Engage the right private-sector stakeholders
– Decide which risks you mitigate and how, which risks you accept,
and which risks you do nothing about
– Develop a national risk registry to store the identified risks
– Define a recurring process for monitoring threats and
vulnerabilities and updating the national threat landscape
● Identify a common methodology for managing cybersecurity
risks
● Develop sectoral cybersecurity risk profiles
● Establishing cybersecurity policies
Establish an incident response capability
● Capabilities: Important to empower CERTs with sufficient
capabilities
– Mandate
– Operational capabilities
– Cooperation capabilities
● Tasks:
– Ensure that the CERTs can both carry out their mandate and
adhere to national and EU data-protection legislation
– Create a national vulnerability database and constantly assess
the potential impact
– Define procedures and best practices
Develop national cyber contingency
plans (NCP)

● The objectives of an NCP are to:

– present and explain the criteria that should be used to
define a situation as a crisis;
– define key processes and actions for handling the crisis;
– define the roles and responsibilities of different
stakeholders during a cyber-crisis.
● Development of contingency plan involve a number of steps
Establish trusted information-sharing
mechanisms
● Define the information-sharing mechanism and the underlying principles and rules that
govern the mechanism

● Follow a sector approach to information sharing

● Focus on strategic issues and critical threats and vulnerabilities

● Organize regular (face-to-face) meetings to share sensitive information

● Identify other relevant European or international trusted information sharing communities

● Update the national risk registry and distribute the collected information to appropriate
targeted users
CI and CII

● Address the protection of CIs and CIIs from a risk

management perspective
– Identify national CIs and CIIs and critical
services
● An effective and efficient CI-protection programme
requires that stakeholders have clearly defined roles
and responsibilities and establish a coordination
mechanism for managing ongoing issues
Establish baseline security
requirements
● Develop baseline security requirements
– based on existing internationally recognized
standards or frameworks and good practices widely
recognized by the industry
● Security baselines should be outcomes-focused, rather
than how organisations should implement security
Establish a public–private
partnership
● A public–private partnership (PPP) establishes a common
scope and objectives; uses defined roles and work
methodology to achieve shared goals
● PPPs may focus on different aspects of security and
resilience
– deterring
– protecting
– detecting
– responding
– recovering
Make citizens aware

● Through awareness-raising, individual and corporate users can

learn how to behave in the online world and protect themselves from
typical risks.
– Define the target of the awareness-raising campaign
– Organise a national cyber-security month, week or day in order
to engage the public, and private- and public sector partners
through events and initiatives
– Develop mechanisms for reaching out to communities
– Consider translating the material into other languages
Strengthen training and educational
programs
● The objectives of a training and education program are to
– Encourage students to join and then prepare them to enter
the cybersecurity field
– Promote and encourage the relations between information
security academic environments and the information
security industry
● Launch national information security training and
educational programs
● Create a national register with accredited cyber-security
experts with teaching skills
Foster R&D

● Typical objectives are

– Identify the real causes of the vulnerabilities instead
of repairing their impact
– Bring together scientists from different disciplines to
provide solutions to multidimensional and complex
problems such as cyber-physical threats
– Bring together the needs of industry and the
findings of research
Legislation and Regulation

● Establish cybercrime legislation

● Recognise and safeguard individual rights and liberties
– Protect rights
– Protect the privacy of personal data
– Protect freedom of expression
● Create compliance mechanisms
● Promote capacity-building for law enforcement
 Engage in international cooperation
● The following points should be followed during the development of
the strategy
– Use the strategy as an instrument for fostering international
cooperation
– Identify the countries you wish to cooperate with
• explain why you want to engage with them and
• clarify the context of cooperation with each one
– Promote international cooperation through information-sharing
– Encourage participation in regional, European and international
exercises
 References
● The ITU National Cyber Security Strategy Guide. 2011

● GUIDE TO DEVELOPING A NATIONAL CYBERSECURITY STRATEGY. https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-

CYB_GUIDE.01-2018-PDF-E.pdf

● An evaluation Framework for National Cyber Security Strategies https://www.enisa.europa.eu/publications/an-

evaluation-framework-for-cyber-security-strategies

● https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ncss-map/national-cyber-security-

strategies-interactive-map

● Cyber Security Strategy Documents https://ccdcoe.org/library/strategy-and-governance/?category=cyber-security-

strategies
 Questions?
Questions can be asked in supervision forum and/or
during the chat or zoom sessions