legislation as a key tool of the national cybersecurity strategy · 2015. 12. 30. · legislation...
TRANSCRIPT
Legislation as a Key Tool of the
National Cybersecurity Strategy
Legislation to make us stronger,
but where is the right balance?
Costas Efthymiou
Office of the Commissioner of Electronic Communications and Postal Regulation
http://www.ocecpr.org.cy
2 November 2015
Overview
Legislation as a Key Tool of the National Cybersecurity Strategy 2
National Cybersecurity Strategy (NCS)
Where could legislation be used in a NCS?
Drivers (new and existing)
Example – Electronic Communications
Is legislation the answer to everything?
Information Society – Digital Cyprus
3
Infrastructure and Services Development
Application Development
Access to Content
Network and Information
Security
Citizen Participation
Trust
Legislation as a Key Tool of the National Cybersecurity Strategy
National Cybersecurity Strategy
(NCS)
4
Legal Framework
Technical and administrative measures
Capability Development
Incident Response
Coordination of public stakeholders
Effective public-private collaboration
Legislation as a Key Tool of the National Cybersecurity Strategy
Strategy Targets – everything?
5
Where is the use of legislation appropriate?
Risks to what? Protect what?
Legislation as a Key Tool of the National Cybersecurity Strategy
Cyprus NCS Building Blocks
6
v1! Legislation as a Key Tool of the National Cybersecurity Strategy
Critical Information Infrastructures
7 Legislation as a Key Tool of the National Cybersecurity Strategy
CIIs - Critical in the same way?
8
Telecommunications, Energy, Transport, Food,
Water, Banking & Finance, Government...and
more...
What makes an infrastructure critical?
Do sector specificities actually matter in
terms of a comprehensive approach to security?
Yes, critical sectors can vary wildly in terms of
ICT infrastructure, but so what?
Level of criticality shouldn’t matter
Legislation as a Key Tool of the National Cybersecurity Strategy
Legislation - Current Major Drivers
9
Strategy itself (Action 4 – Legal Framework)
Action 2 – Structures
Action 7 – Identification of CIIs
Risk assessment
Action 9 – National Cybersecurity Framework
Actions 10,11 – CERTs/CSIRTs
Action 16 – National Contingency Plan
Related Activities
Notifications (Security and privacy breaches)
Minimum security measures
Legislation as a Key Tool of the National Cybersecurity Strategy
Legislation – Upcoming Drivers
10
EU NIS Directive (coming soon!)
Key legislative tool of the European Cybersecurity
Strategy
Binds nation states to have a strategy and a national
CERT, with specific content and competencies
Extension of incident notification requirements to
most (if not all) critical information infrastructures
+ minimum security measures?
Closer collaboration with other Member States in
terms of combating large scale cyber threats
Cybercrime, Cyberdefence, External Affairs
Legislation as a Key Tool of the National Cybersecurity Strategy
Example – Supervision of Electronic
Communications Providers
11
Many security measures required...
...but how can the application of these measures be
supervised?
Options*:
Mandating or recommending a security standard
Assessing compliance across the market
Taking a staged approach to supervision
Auditing providers (periodically, at random, and/or
post-incident) * from survey carried out by ENISA, reported in ‘Technical Guideline on Security
Measures’, ENISA, April 2014
Legislation as a Key Tool of the National Cybersecurity Strategy
Example - CIIs
12
As above – many options, associated cost, but
many potential benefits
NIS Directive will increase the obligations
To what extent should we legislate?
Collaboration is the target
Win-win!
Information sharing
TRUST!!!
Legislation as a Key Tool of the National Cybersecurity Strategy
To summarise...
Legislation can be used as a key tool in a
number of application areas within the
National Cybersecurity Strategy
Supervision
Standards
Minimum security measures
Homogeneous approach (government)
Critical Information Infrastructures
Crisis management
13 Legislation as a Key Tool of the National Cybersecurity Strategy
... And Final Message
For cybersecurity, the usefulness of
legislation can only be maximised when it
is used as part of a holistic approach
Legislation
Voluntary Actions
Awareness
Mutual Support
TRUST!
14 Legislation as a Key Tool of the National Cybersecurity Strategy
Thank You!
OCECPR - http://www.ocecpr.org.cy
Costas Efthymiou Tel. +35722693169 [email protected]
15 Legislation as a Key Tool of the National Cybersecurity Strategy