We cannot start a Cybersecurity discussion without mentioning “The National Defense Strategy for 2020-2024” released by the Presidential Administration in 2020.
Although “The National Defense Strategy for 2020-2024” does mention some of the threats, risks and vulnerabilities related to the Information Security Domain, the strategy itself does not lay a clear path (or even a general set of recommendations) to achieve a National Information Security Strategy.
Three key elements must be addressed as a whole in order to achieve a complete and effective National Information Security Strategy:
Cybersecurity – the newest and unique national security issue of the 21st century. The shift from traditional hacker-based cyber-attacks to the use of offensive cyber weapons is the new reality. The potent nexus between threat and vulnerability makes it imperative that traditional information security strategies are enhanced but also transformed to a more resilient cyber security methodology.
Critical Infrastructure Protection – ICT will be an increasingly important underlying fabric affecting all aspects of a society and will influence its future economic prosperity. How the security and resilience functions of ICT and the information systems supporting critical infrastructures are designed, operated and monitored for threats to their operations will also influence perceptions of Romania by other nations within the international community, who are also addressing similar issues.
The National Information Security Strategy itself – it should be a related set of elements that form an integrated national strategy. The driving force behind the strategy implementation should be the Human Resource component. With development of trust and cooperation from a base of transparency, coordination and collaboration, the implementation is designed to support the national short and long-term ICT objectives.
Cybersecurity is an increasingly important challenge faced by Romania. Many of the core systems that underpin the economy and society are now enabled by information technology. While this has created tremendous benefit in terms of efficiency, it has also necessitated a more systematic approach to identifying and thwarting cyber-attacks and cybercrime. As the national cyber infrastructure is threatened, we will need to move quickly (both bilaterally and with private sector owners of critical infrastructures). Romania needs to be able to respond jointly and effectively to any attack and that takes expertise, preparation and cooperation. Achieving a cyber-resilient ecosystem is essential.
Many of the same vulnerabilities used to steal intellectual property can also be used to attack the critical infrastructures. Without an immediate national initiative to develop and implement a cybersecurity policy, Romania will continue to be at risk for a catastrophic attack to the nation’s vital networks – networks that power essential services for continuity of national security operations and economic stability.
The National Information Security Strategy is focused on the information security efforts essential for protecting ICT, information systems and information. Within today’s world, ICT and information systems provide critical functions and services that affect the operations of a nation’s national security systems, government organizations, and private enterprises. As operational dependency on the ICT and electronic systems increases, information security risks become more critical. Information security is not only an essential enabling function but it must also provide countermeasures to vulnerabilities that can be exploited. In addition, the implementation of the ICT, information systems, applications and operational processes affects the availability, reliably and sustainably of those “critical” functions and services in the face of disruptive events. One of the overarching goals for the National Information Security Strategy is to provide a strategy and direction for achieving an appropriate and sustained level of ICT security. Each infrastructure operates within a unique set of requirements and collectively they contribute to national security and economic security at various levels of criticality. Most critical infrastructures, including those that perform national security functions, though generally fewer in number, perform and support the most important and fundamental role a government must exercise; namely, assuring national sovereignty and protection of its people. Government functions and services, such as emergency services, are very critical and a variety of Government services are relied upon by its people for essential services and the orderly functioning and economic wellbeing of Romania. Many private enterprises (but not all) provide some nationally critical operations and services that underpin the effective operations of both government organizations, other private organizations’ operations and a vast array of services to the people of Romania; for example, financial services.
It is important that critical infrastructure protection and resilience be considered a separate element of an overall national security strategy. A separate Critical Infrastructure Security and Resilience Strategy for Romania should be developed. It must focus on both the physical protection of key assets and the security of ICT and information systems used within critical infrastructures. Without a comprehensive strategy, there can be no assurance that infrastructure security and resilience is being implemented and operated commensurate with identified national-level risks and interdependencies.
In order to achieve a complete and effective level of protection and defense of information and information systems the National Information Security Strategy should consider the following critical aspects:
Information Security Environment
The first and primary step is consideration and agreement at the national level on a secure and effective Information Security Environment. International research shows that a centrally-managed information security is the most effective and efficient. Because of domestic political factors, few countries are able to implement an effective centralized organization that includes the defense and intelligence sectors. However, most countries have or are working towards a secure and effective national information security and cybersecurity for the protection of all the other ICT infrastructure and information systems. The current ICT environment with borderless infrastructure connectivity makes the threat, vulnerabilities and risk that one organization faces heavily dependent upon actions (or lack of actions) of other entities inside and outside the nation. This is why the traditional model of each organization being responsible for its own information security no longer works. A central national environment with information security oversight, guidance and monitoring of the nonmilitary/intelligence sector on behalf of the entire nation is the best means of minimizing risk and providing maximum assurance against both natural and manmade accidents, disasters, attacks and exploitation. This information security environment should be responsible for the detailed implementation of the National Information Security Strategy objectives and recommendations.
The next step is agreement for, and development and adoption of, a set of national information security policies. This, in turn, will lead to national standards and best practices. Each ministry agency and organization should have the flexibility to adapt the policies and implement the standards according to their individual circumstances.
This includes an update of Romania regulations and laws to take into account the legal challenges presented by the globally interconnected internet. The contents of a person’s social network page on such sites as Facebook, Twitter, YouTube or even a personal or organization’s website can be subject to unauthorized modification without the knowledge or permission of the owner. Hence, it is possible for someone whose objective is to damage the reputation of a person, organization or the state to surreptitiously plant false, inflammatory or pornographic information in an account. The defense is to minimize the vulnerabilities by employing good security measures, but ultimately a highly trained group of computer forensic specialists and investigators is needed to avoid falsely convicting innocent persons.
Risk Assessment and Management
Risk assessment and the management of risks are necessary since there is no longer an absolute defense against adverse events and attacks affecting information and ICT systems. This is because of today’s network interconnectivity and extreme ease of storing and transmitting and transporting (1 TB thumb drives can store ~100 million pages of text) sensitive and classified information. A companion to the risk assessment is a framework for ICT system assessments and audits to ensure the appropriate standards and policies are being met.
The technical infrastructure updating and hardening to a state of acceptable resilience takes longer to achieve but is a vital element of the National Information Security Strategy. Again, the interconnectivity dictates a n
National ICT Infrastructure
National architectural framework, since all systems today will suffer successful attacks and/or some degradation due to natural events or accidents or both. Planning and implementing measures to assure a minimum grade of service is both prudent and necessary to achieve Romania’s evolution to a knowledge-based ICT economy.
National and International Cooperation
Expanding the internal cooperation communication regarding attacks, threats, vulnerabilities, mitigation techniques and best practices among and between Romania’s organizations is essential. Today, not every ministry is connected to Directoratul Național de Securitate Cibernetică (DNSC), which is an obvious starting point, but much more needs to be done for a deeper national cooperation. External initiatives with numerous international organizations are needed for any nation, since in many cases immediate mitigation against cyber-attacks depends upon international cooperative actions. The sharing of information and establishment of a professional dialogue and trust regarding information security and cybersecurity between friendly nations is important. This provides information and cooperative preplanned actions that can improve the national defense from attacks on the national ICT systems and infrastructure (such as the electric, water, and oil/gas SCADA control systems) and those targeting valuable and sensitive information.
The major foundation block of the National Information Security Strategy, after the state decides upon an information security environment and policy approach is the Human Resource component. The strategy should support extensive development of Romanian citizens with a specific focus on solutions on the areas of IT, ICT and ICT security. However, the strategy focus should be a broader one than just an educational program and should be based in part on identifying citizens that could rapidly become important contributors to the needed IT and ICT security workforce. Two groups identified are females and skilled male hackers with no formal degree, but very strong IT and ICT security knowledge. In many cases their capability and knowledge is far beyond what is currently taught in the universities. With appropriate vetting and training, they could provide much needed augmentation to the existing information security work force.
An extensive program to identify, educate and train Romanian citizens for upward mobile information security careers should be implemented. It should be based on one major change to a situation identified as a major factor in lack of skilled government IT and ICT security personnel. This situation is in part due to the very great difference in compensation for qualified IT, ICT and ICT security professionals in government positions and in private industry. One of the possible solutions could be for a special compensatory premium to be paid to citizens in government related functions purely based on their true capabilities and qualifications in these fields. There should be no distinction based on gender or unvetted paper credentials.
Research and innovation take longer to bear fruit, but the National Information Security Strategy should identify some initial projects that, in themselves, are valuable but are designed to expand the capability and success rate of researchers, innovators and entrepreneurs.
Another feature that is most often applied to critical infrastructure protection but can be applied to all of the areas above is resilience. This is the ability to anticipate, absorb, adapt to and rapidly recover from potentially disruptive event or failure. And, not the least, to maintain and increase the confidence of the general public in the growing number of e-government services.
Written by Marius Marinescu, Chief Technology Officer METAMINDS