In modern democracies the digital revolution has been stretching to all aspects of life which generates significant dependency. Nowadays members of the society are less viable if they do not use e-mail addresses, bank accounts and cards, or some sort of positioning system. The role and significance of digital infrastructures is undisputed, they became unquestionable components of transparent state functions, economic prosperity and successful scientific research. One the one hand, modern information society considers information and communications technologies (hereinafter: ICT) the engine of societal evolution. On the other hand, the challenges of dependency, the dynamics of development and the rate of penetration involve serious threats.
Moving towards enhancing the effectiveness of actions against cyber threats, Austria and the Czech Republic initiated the creation of the Central European Cyber Security Platform (hereinafter: CECSP) in 2013 with the participation of Poland, Slovakia and Hungary. The cooperation of the five states aims „to enable the information, best practices, lesson learned and know-how sharing about cyber threats and potential or (un)successfully carried out cyber-attacks. Furthermore, the Platform shall contribute to the capacity and capability building through common trainings, education, exercises and research and development coordination. Finally, the participating states strive for harmonized positions in the international environment.” (ENISA) However, various national values and interests lay in the background that could – both in case of convergences and discrepancies – influence the efficiency of the co-operation. The aim of the paper is to map those convergences and discrepancies that could affect the co-operation by a comparative analysis of national cyber security strategies (hereinafter: NCSS) on the basis of EU and NATO recommendations.
EU and NATO recommendations on cyber security
The European Union Agency for Network and Information Security (hereinafter: ENISA) was launched in Crete in 2005 with the objective to help the European Commission, the member states and the business community to address, respond and especially prevent network and information security problems. ENISA published a Practical Guide on the Development and Execution of National Cyber Security Strategies in December 2012, stating: „ENISA has studied existing NCSS, in terms of structure and content, in order to determine the relevance of the proposed measures for improving security and resilience.” (Falessi 2012, p. 1) Regarding the development and implementation of cyber security strategies ENISA outlined several aspects. Based on these, the paper focuses on the following issues, evaluating whether the national strategies developed by CECSP participating states fulfilled the following criteria:
– set the vision, scope, objectives and priorities;
– follow a national risk assessment approach;
– review existing policies, regulations and capabilities;
– develop a clear governance structure;
– identify and engage stakeholders.
The experts of ENISA specified each point and assigned the measures and elements that are necessary to fulfil the above criteria. These key performance indicators are needed to be defined in advance of an evaluation mechanism that always precedes the creation of NCSS, thus NCSS could become a powerful governmental instrument against cyber threats.
Within the North Atlantic Treaty Organization (hereinafter: NATO) the body dedicated to cyber security challenges is the NATO Cooperative Cyber Defence Centre of Excellence (hereinafter: NATO CCDCOE). NATO CCDCOE published the National Cyber Security Framework Manual in late 2012, which „provides detailed background information and theoretical frameworks to help the reader understand the different facets of national cyber security, according to different levels of public policy formulation.” (Klimburg 2012, p. XV) The manual includes an annex with the List of Principal Guidelines for creating NCSS. According to the manual NCSSs should:
– acknowledge the importance of cyberspace and the rewards of a digital society;
– include a section on threats (cyber crime, espionage, etc.);
– define key terminology (definitions and clarifications in meaning);
– declare concrete goals (translate the vision into coherent and implementable policies).
In comparison, an „NCSS generally requires more governmental coordination and public transparency than other strategies, as cyberspace does not belong to any department, or indeed any nation.” (Klimburg 2012, p. 198) With regards to the NCSS development process this paper focuses on the linkage between the NCSS and other national and international strategies, and the inclusion of policy update and review mechanisms within the strategy.
The paper focuses on the NCSSs of the five CECSP countries in a comparative manner, but the detailed overview of each NCSS is not possible here due to length limitations. Thus, the content analysis of the five NCSS concentrates solely on the aspects of examination listed below and does not take other related documents into consideration (e.g. legislation, departmental strategies, action plans, etc.). The aspects of examination have three pillars. The first two consist of the above mentioned EU and NATO recommendations, while the third pillar is an analysis of a 2013 Dutch research based on a similar topic, which contains the comparison of ten national cyber security strategies. The analysis of convergences and discrepancies – based on the three pillars – focuses on the following issues:
– The applied terminology of CECSP states
– The embeddedness and scope of NCSS
– The evaluation of the cyber security environment and threat review
– The declaration of objectives and identification of priorities
– The specified measures and fields of action
– The risk assessment and review mechanism
– The applied terminology of CECSP states
It could be expected that the mutual understanding of the terminology of strategies and policies rests on a common ground and is filled with similar content. However, this is not the reality, due to the use of divergent terms and notions in different documents, which could lead to problems with interpretation at both national and international level.
Among the five examined NCSS, there are only two – the Austrian and the Polish NCSS – that contain special provisions dedicated to applied terminology, terms and notions. The last annex of the Austrian strategy defines more than two dozen terms which frequently occur in the document. At the beginning of the Polish strategy fourteen definitions are explained. The Austrian NCSS uses descriptive texts to indicate the meaning of the term ’cyber security’, while the Polish one provides a tight definition for the term ’cybernetic security’. The situation is similar in case of ’cyber crime’ or ’cyber attack’, but despite the fact that some notions are defined in both strategies, the level of overlap is quite low. The other three strategies do not contain separate parts with definitions apart from NATO recommendations. The main text of the Hungarian NCSS contains definitions, but only in two paragraphs. Paragraph 3 determines the notion of ’cyber space’, while Paragraph 5 provides a detailed definition for the Hungarian interpretation of ’cyber security’. The Slovak NCSS – as shown by the table of contents – includes annexes and the title of the fourth annex is Definitions. It is impossible to find definitions in the Czech strategy, so the drafters of the document do not answer the question: how do they interpret the term ’cybernetic security’ which is in use all over the NCSS?
Based on the strategies we can draw the conclusion that the cyber security co-operation of the five states is either not covering the field of harmonized comprehension and mutual understanding, or this has not taken effect in the current strategies yet. Despite the NATO recommendations, the strategies lack definitions which could make the harmonization and common actions more difficult at an international level.
The embeddedness and scope of NCSS
In the hierarchy of strategic documents, cyber security strategies are part of national security or defence strategies and are connected to several departmental strategies due to the nature of cyber security that concerns society as a whole. In addition, lawmakers typically strive to match international expectations and directives. The scope of the strategy is very important to embeddedness, as due to the lack of territorial, personal and temporal scope the implementation, supervision and updates, the process could face problems.
All cyber security strategies of CECSP countries take into account EU and NATO recommendations. Expect for the Czech NCSS, all of them mention several regulations, recommendations and decisions that directly determine the drafting of the given cyber security strategy. The situation is similar at national levels of embeddedness: all documents refer to the higher-level national security or defence strategies and present the legislative environment, although there are significant differences in profundity. There are detectable differences regarding their temporal scope and review mechanism also. The title of the Czech strategy (Strategy Of The Czech Republic In The Field Of Cybernetic Security For 2012 – 2015) already contains the temporal scope while there is only reference to a five year timeframe in the Slovak NCSS (“The NSIS has been prepared for a five year period, i.e. 2008 to 2013”). The other three strategies provide no concrete information about the timeframe of implementation. The scope of stakeholders shows unity, every strategy emphasizes the shared role of state, non-state and academic actors. The engagement and co-ordinating tasks of governmental stakeholders are dominant as compared to the mandates of non-state and academic actors.
The strategies act upon the EU and NATO recommendations with regards to embeddedness and scope. Typically several documents are referred to in connection with drafting and framing the actual NCSS, but the picture is mixed at the level of incorporated recommendations. The extremely rapid technological development requires more attention to the updates and reviews of NCSSs, as compared to other strategic documents. Setting the timeframe in the title of the NCSS would be a good incentive, as well as adding a detailed roadmap for implementation as an integral part of these strategies.
The evaluation of the cyber security environment and threat review
The EU and NATO have also formulated recommendations for environmental threat assessments, and it is these elements that determine the baseline of security perception and threat response. The basis for preparing for any kind of threat is the identification of the threat, its scale, and our capabilities for response. Without these sets of information the strategic objectives lack the foundations for action which causes problems in implementation and in the end lead to a decrease in security level.
All examined strategies have a section dedicated to the security environment and threat assessment. States are well aware that they depend extremely on ICT systems and this affects all dimensions of society in technological, economic, social, cultural, scientific and political senses as well. There is a minor divergence in strategies as well, but in general all five states have realized, acknowledged and clearly stated that the cyber space and the backbone ICT systems of cyber space ensure their basic functioning. From a state’s point of view, guaranteeing the security of the cyber space is a task for the whole society, but states acknowledge the co-ordination role and responsibility of governmental actors.
All entities of cyber space and the threats generated by them are reviewed in the CDSSs, even beyond the nature and technical parameters of threats. The documents point out that the cross-border aspect of these threats causes difficulties in the application of traditional defence mechanisms developed by states. The assessments include the damage of ICT infrastructures that could lead to data leakage, illegal data acquisition, unauthorized usage, economic damage or in a serious case could threaten existential security. In most strategies threats to critical infrastructures have a prominent role just like cyber crime, which is an indicator of the extremely increasing economic damages.
The basis of any international cooperation is that the parties have a unified view on the drivers that are set to call for co-operation. The states co-operating in Central Europe have realized and declared that in the field of cyber security their security perceptions are similar and they perceive nearly the same threats. A consensus exists on that strengthening cyber security without international co-operation is not possible.
The declaration of objectives and identification of priorities
Based on the similarity of the security and threat perceptions of the five states it is assumed that the responses and objectives are the same as well. But shifts in emphasis could appear even if there is perfect agreement in everything else. Strategic objectives are outlined in all documents, typically in separated paragraphs and can be summarized as the following:
The creation of secure environment by enhancing the security and resilience of ICT infrastructures;
The reduction of impacts and improvement of operation safety by developing efficient capabilities to prevent, detect, respond and restore (e.g. by establishing CERTs);
The enhancement of cyber security awareness and competence at the level of the entire society by transforming and developing education and training systems;
Determining mandates and competence for all actors and transforming the legislative environment with respect to human rights and freedoms;
Increasing co-ordination and information sharing at national and international level among state, non-state and academic actors.
Although the wording and the context is not the same in all cases, through studying the objectives and the associated explanations it turns out that the mentioned five areas consistently appear in cyber security strategies. The EU and NATO recommendations also include the declaration of objectives, so in this regard each strategy is in line with international expectations and recommendations. None of the national strategies set priorities in the context of objectives.
The specified measures and fields of action
In order to ensure the achievement of the specific objectives, the examined strategies contain several measures and tasks. Considering that there are differences in the actual preparedness, capabilities, legislative frameworks and organisational structures in the CECSP countries, various divergences could emerge.
In the Czech strategy the measures and goals are presented together. The drafters of the document identified several measures from awareness-raising to the development of the legislative framework. All measures are detailed in 3-5 points, with specific actions.
The strategy of Austria sets out measures in the field of process management, co-operation among governmental, economic and societal actors, critical infrastructure protection, awareness-raising, research and development and international co-operation.
The Hungarian strategy says that the cyber security situation in Hungary is mostly stable and sets out detailed measures and mandates for all stakeholders that include governmental coordination, awareness-raising and regulatory projects.
Like the Czech strategy, the Slovak document covers a wide range of measures together with objectives, under the strategic priorities paragraph, including the protection of human rights and freedoms, awareness-raising, as well as national and international co-operation.
The Polish strategy is the only one where the authors draw attention to prioritizing the most important measures. Each task is preceded by a risk assessment, which must be prepared annually. The next measures in order are connected to the security of government administration portals, the regulatory environment and organizational actions. There are detailed tasks in the field of education, training and awareness-raising. The last parts of the measures are technical details.
The fields of activity show a significant overlap that theoretically can have a positive impact on CECSP cooperation because valuable experience has been generated around the same cyber security areas in the countries concerned. However, it can be seen that CECSP member states have to walk different paths to reach the common goals. Cyber security culture in Austria is better developed and there are several sectoral CERTS at operational level. Meanwhile the Slovak strategy declares that the cyber security domain is in an unfavourable situation brought about by the poor implementation of strategic objectives, therefore it orders an assessment of financial, human and material resources needed for the formation of a governmental cyber defence institution (GovCERT). The emphasis shifts among individual measures due to the different levels of government attention and resources dedicated to this field. It is difficult to assess the impact of measures on cooperation by analyzing only the cyber security strategies. For a more complex result most of the related documents (e.g. action plans, cyber security acts and reports) should be reviewed.
Risk assessment and review mechanism
The assessment processes are quite important as their results became key performance indicators. Analyzing and evaluating activities provides the basic data and information to recognise the initial situation, the parameters of a specific area and the results and failures of implementation.
In this respect the Austrian strategy determines the preparation of an annual report titled Cyber Security in Austria connected to governmental coordination, while at operational level a periodic incident assessment is required (sector specific and cross-sectoral platforms). In relation to legislative transformation, the Cyber Security Steering Group prepares a comprehensive report. This body also prepares a biennial report on the cyber security strategy and this is carried out together with the revision process of the strategy.
The authors of the Hungarian NCSS did not identify any specific assessment or environmental evaluation steps nor did they require any revision of the strategy. The document says „Hungary already possesses most tools required for its strategic goals regarding both competences and the potential resources.” Some reviews occur in connection to governmental, civic, economic and scientific organisations and infrastructures.
The Slovak strategy requires an assessment on national competencies regarding the creation of a safe cyber security environment while the effectiveness of information security management has to be examined and evaluated as well. The drafters of the strategy added additional requirements for analysis like an in-depth study of the transformation of cyber structures. Task analyses and process evaluations are to be prepared in connection with the implementation of the strategy, which must be approved by the government. Moreover, an annual report has to be made to inform the government about the actual cyber security situation.
The Czech strategy highlights the necessity of assessments in connection with the adequacy of the measures applied. Periodical assessments and evaluations are made at legislatorial and operational levels as well, and the results are used to develop action plans and the improvement of cyber security environment. Risk assessments and evaluations have to analyse the implementation of safety standards in critical infrastructure systems, while the educational system has to be continuously analysed as well.
The Polish strategy requires a periodic progress report and the policymakers highlighted risk assessments as the key tool for examining the cyber space. All governmental units identified in the strategy submit an annual report which contains the results of risk assessments to the minister responsible for informatization. Assessing tasks can also be found among the measures related to the revision of the existing legislation framework. The Polish strategy also addresses a wide range of special surveys and evaluations with specific examples for the implementation process.
Austria and Poland have a strong emphasis on continuous and systematic analysis that appears in both strategies. A similar picture emerges in connection with the Slovak document, however, the Czech and Hungarian strategies do not contain repetitive, regular reviews or audits. This does not mean that there are no revision processes in Hungary and the Czech Republic. It only indicates that while the Czech policymakers have taken EU and NATO recommendations into account only partially, Hungarian policymakers completely left out risk assessment and review mechanisms.
One year after the CECSP has been formed, the examined factors indicate an ambivalent image at the level of actual cyber security strategies. We can conclude that the aspect of the embeddedness and scope, the evaluation of the cyber security environment and the declaration of objectives could serve as a baseline for further cooperation, but an applied common terminology is still lacking in these documents. Regarding the specified measures and fields of action identified in the NCSSs, the cooperation is incoherent because of the different conditions and competences in cyber security. At the level of policymaking the aspect of risk assessment and review mechanism most probably needs a powerful boost to align these elements better with each other as currently national emphases differ greatly.
Based on the comparative assessment of the five CECSP strategies, the detected convergences are steering common efforts in the same direction that contributes to future cooperation. However, an analysis that covers only cyber strategies is not able to draw a prompt and comprehensive picture about the effects of the divergences identified. In this respect further research is required with an extended focus on other national documents regulating the cyber security domain, including action plans and protocols.