Cybersecurity governance in Europe Sokratis K. Katsikas Systems Security Laboratory Dept. of Digital Systems University of Piraeus ska@unipi.gr
Elements of a national cybersecurity strategy Set the vision, scope, objectives and priorities Follow a national risk assessment approach Take stock of existing policies, regulations and capabilities Develop a clear governance structure Identify and engage stakeholders Establish trusted informationsharing mechanisms Develop national cyber contingency plans Organise cyber security exercises Establish baseline security requirements Establish incident reporting mechanisms User awareness Foster R&D Strengthen training and educational programmes Establish an incident response capability Address cyber crime Engage in international cooperation Establish a public private partnership Balance security with privacy ENISA, National Cyber Security Strategies, December 2012
Elements of a governance structure A governance framework defines the roles, responsibilities and accountability of all relevant stakeholders. It provides a framework for dialogue and coordination of various activities undertaken in the lifecycle of the strategy. A public body or an interagency/interministerial working group should be defined as the coordinator of the strategy. This will be the entity that has the overall responsibility for the strategy lifecycle and the strategy documentation itself. The structure of the coordinating entity, its exact responsibilities and its relationships with the other stakeholders should be clearly defined.
Define Who has ultimate responsibility for managing and evaluating the strategy (cyber security coordinator) The management structure (i.e. the advisory body advising the coordinator) The mandate and tasks of this body The mandate and tasks of the entities responsible for initiating and developing cyber-security policy and regulation The mandate and tasks of the entities responsible for collecting threats and vulnerabilities, responding to cyber attacks, strengthening crisis management and others The role of existing,, national cyber security and incident response teams (CERT) in both public and private sectors.
EU MS good practices Ultimate responsibility lies with the national CIO/CISO, who is appointed by the Prime Minister/President National cyber security council with membership from both the public and the private sectors. National Cyber Security Council manages the national risk management, assesses and prioritises emerging threats, responds to critical situations, manages the progress of the strategy, engages relevant stakeholders, fosters international cooperation National Cyber Security Center CERTs Marios Apostolou, Comparative analysis of the state of cybersecurity among EU member states, MSc thesis, Systems Security Laboratory, Dept. of Digital Systems, University of Piraeus, March 2014
The case of Greece present situation No strategy (among 11 EU MS) commitment to define one by 29.07.2014 Legal framework exists Plethora of organizations and competent authorities overlaps Lack of coordination hence gaps
The case of Greece -proposals Imperative to define national strategy. Follow hierarchical German model (National security strategy national CIP strategy national Cyber Security strategy) Content: follow the Dutch model: Define context, define goals, define philosophy but also set responsibilities and timelines. Define governance structure. Follow the Austrian model. Establish national Cyber Security center. Follow UK and German model (part of CIP body) National CERT cannot be the intelligence services, as this inter alia- impedes participation of private sector. Transform current national CERT to government CERT and upgrade significantly.
Make sure to consider Need to balance security with privacy Need to involve ALL stakeholders Need for international cooperation Need to ensure democratic governance and oversight management Time is against us
Need to consider and decide upon Single point of management ultimate responsibility for ICT and Cyber Security Composition of National Cyber Security Council. Mix of representation of stakeholders military, intelligence services, law enforcement, private sector. Setting up National Cyber Security Center Upgrading national CERT and establish additional CERTs (e.g. for private sector)