Cyber Porposal
CyberSter
The_Appearance_and_Development.pdf
The 14th International Scientific Conference eLearning and Software for Education
Bucharest, April 19-20, 2018 10.12753/2066-026X-18-222
The Appearance and Development of National Cyber Security Strategies
Petrișor PĂTRAȘCU “Carol I” National Defence University, Panduri str. No. 68-72, 5th distr., Bucharest, Romania
Abstract: In the last years, digital world have took a lot of importance applied on multiple fields, due to
benefits, but also due to multiple number of users from both government and private companies. This
development had involved a lot of risks and vulnerabilities. Nowadays a lot of vulnerabilities had been
attacked, another ones had been tried to jeopardize and because of that were issued measurements for
protection and cyber defense. The cyber security concept was generate by a permanent development of
the information and communications technology, due to an increased number of users, due to an
increased number of cyber threats and attacks and also due to the importance of this concept as an
instrument of the national power strength. All through, the cyberspace became a field that applied to
diplomatic, information, economic and military level of the global and country policy. The cyber
security had an ascendant course started from technical discipline, developed to tactical level and
finally reached strategically level of the powerful countries. Development of the cyber security became
country policy and worldwide directives as a consequence of an increased number of threats and cyber-
attacks. Because of those a lot of states took a lot of countermeasures to protect the national cyber
infrastructure. Is observed that those countermeasures had been took when the cyber infrastructures
were attacked or after that. Therefore, after these moments when cyber-attacks became a threat to
critical cyber infrastructure, worldwide countries started to take in consideration that prevention is the
basement of the cyber security and started to develop strategies and some of these states applied laws of
cyber security.
Keywords: technology, risks and vulnerabilities, cyber security strategy.
I. MOTIVATION AND BACKGROUND FOR THE APPEARENCE OF STRATEGIES
As a preamble of what was to happen over a quarter of a century, the 1982 cyberattack was the
first event that opened a new challenge to the classical confrontational environment. The 1982
cyberattack was one of the Cold War’s results, involving the secret services of both Cold War
combatants. American specialists have created and placed a logical bomb in the software of a
computerized control system and deliberately left it to the Soviet services to be accessed.
Subsequently, the devastating physical effects of a Siberian energy transmission network
appeared, which were described as [1] the largest non-nuclear explosion ever detected in space.
The first significant moment in cyberspace, with worldwide resonance, was represented by the
2007 cyberattacks in Estonia.
Prior to the launch of the attacks, the Estonian government administrative system consisted of
150 public information systems serving approximately 1,000 electronic services. Almost half of the
citizens knew how to use the public electronic services, and public organizations and businesses were
using Estonian x-road digital services on a daily basis. Banking operations were largely electronic,
recently targeting the rural population as well. The voting system was using the Internet for the first
time in the populated areas that had access to the network, the mobile telephony had extended
53
throughout the territory and also the national education system benefited from the facilities provided
by them [2].
Compared to other Eastern bloc countries, at that time, Estonia was much more developed in
the digital field, with major investments in modern technologies and a responsive population to the
innovation through which most of them had acquired the quality of users. In this context and due to
the lack of a security strategy, cyberattacks on public and private institutions and organizations were
launched between April-26 and May-18-2007.
The attacks took place in two different phases, each consisting of several events. The initial
phase, unfolded during the first three days, consisted of simple, spontaneous and ad-hoc attacks.
Denial of Service (DOS) attacks on targeted computers were launched, followed by ping of death
attacks directed at government and Estonian press websites.
In the second phase, the attacks were more intense, more sophisticated, through strong botnet
networks. Simultaneously, several websites were attacked, most of them governmental. At this stage,
Distributed Denial of Service (DDOS) attacks prevailed, the effects of which were also felt by users
outside of the country. The transition from simple attacks to the most complex ones was carried out
gradually, and the latter were coordinated by specialized structures in the field, following well-
established plans, targets and allocated resources.
The moment of the attacks in Estonia will remain the zero kilometer point in the history of
cybernetic security. From here on, the cyberspace defense has been taken seriously by several nations,
and the identified results have contributed tremendously to strategy and policy-making. Also, the aid
received from other states during the attacks has proven the benefits of the cooperation between states.
Another important moment, which occurred closely in time, is represented by the cyberattacks
on Georgia in the summer of 2008. Techniques and means of attack were basically similar to those in
Estonia, but less in number, on the grounds that cybernetic infrastructure in Georgia was not so
developed. The cyberattacks were DDOS type, targeting public and private organizations, aiming to
destabilize the operation of cyber-infrastructures.
The novelty was the combination between the cyberspace and the classic confrontation
environment where “it was the first time when a known cyberattack coincided with a real conflict”
[3]. The cybernetic offensive has preceded Russia’s aerial, maritime and land-based military actions
on Georgian forces.
Thus, the result is that cyber-actions in the context of classical conflicts benefits the side that
uses them to achieve success at the expense of those who do not use them or who have not
implemented defense measures to protect their critical infrastructures.
Another country where critical infrastructures were affected by cyberattacks is Iran. In 2010, a
computer virus called STUXNET has managed to get into the Iranian nuclear power plants. Kaspersky
Lab’s specialists [4] have confirmed that this is a highly sophisticated and unique IT industry attack,
prepared by a team of cybercriminals with extensive knowledge of SCADA technology (Supervisory
Control and Data Acquisition). Interestingly, it was not spread through the INTERNET, but only
through the local networks with the help of physical sources. It was largely designed to destroy the
nuclear centrifuge control systems. At that time, Iran was very active in the nuclear field and yet, with
the help of software system vulnerabilities, the power plants could be sabotaged and damaged.
Following these major events, the number of threats and cyberattacks has grown throughout
the world in the years to come. The most significant ones, independently directed at one single state,
were reported around crisis and conflict situations, in countries such as Ukraine or North Korea. The
rest of the attacks were of lesser intensity or have not yet managed to destroy national critical
infrastructures. After the attacks outlined in the above, there have been reports from both field and
media specialists signaling numerous other cyberattacks with a different typology, that have been
launched simultaneously or shortly after, directed at several states and targeting one or more of many
cyber infrastructures, especially the critical ones in various sectors of activity.
II. EVOLUTION OF STRATEGIES
Simultaneously with the evolution of attacks and threats, cybersecurity has become
increasingly important for nations. As a result of these signals, the states have begun to take such
events very seriously.
54
Initially, some of them have developed and adopted cyber defense regulations as part of the
national security strategies, later on the accent being set on the cybersecurity strategies alone, a fact
which also points to the transition from the cyber defense concept to the cybersecurity concept.
The first cybersecurity strategy was adopted by the US [5] in 2003, being a milestone both for
its own future strategies and for other world states strategies. Also in the past decade, Malaysia has
adopted its strategy in 2006 and Estonia in 2008 as a result of the attacks from the previous year. If we
analyze the geographical position of these three countries, we can note that from the very beginning
the adoption of national strategies has started from all over the world, which implies an extended
deployment environment. Cyber threats and attacks are dynamic, have no borders and can easily target
various critical infrastructures of nations. One of the first countries to closely reflect on the issue of cyber-security was the United States
of America. Motivated by the context of the terrorist attacks of September 11, 2001, they have
succeeded in adopting two years later the National Cybersecurity Strategy, its main objectives being
the prevention of cyberattacks against critical infrastructures, the reduction of national vulnerabilities
and the minimization of the effects of such attacks.
In 2009, the newly elected US president, Barack Obama, has called for a robust strategy to be
achieved within 60 days in order to combat current threats. Thus, the Cyberspace Policy Review [6]
has been developed and published with many cybersecurity enhancements to ensure confidence and
resilience of communications and information infrastructures.
In the past 15 years, over 70 countries have adopted cybersecurity strategies and policies. The
current situation, represented in Figure 1, shows that the highest percentage of national strategies
implemented relative to the number of countries of each continent is held by Europe, and at the
opposite end is Africa. European countries justify their classification also arguing that most of them
are members of NATO and the EU, which involved the forums of these organizations to reflect on
collective protection.
Greece is the only member country of the North Atlantic Organization that has remained at the
project stage in the adoption of the national cybersecurity strategy, and at European level, the
strategies of Serbia and Sweden are also in a project stage. The reason why Greece has not yet
managed to develop a strategy may also be due to its delicate situation in recent years, especially since
strategies involve financial spending and consumption of human resources.
For the American continent, the US and Canada are the main countries with important
cybersecurity efforts, and the Latin American countries are on the opposite side but they are also
showing signs that they are beginning to develop their cyber-strategies.
Figure1. Cybersecurity strategies adoption by states until 2017
55
Currently, according to Table 2 on the adoption of national cybersecurity strategies by the
world’s states, over a third have managed to adopt their own strategies and policies, and some of them,
including the Netherlands, Belgium, Estonia, the Czech Republic, France, Japan, Luxembourg,
Germany, the United Kingdom, Turkey have treated cybersecurity more rigorously and thus have
reached a much more advanced stage by improving the quality of strategies or by developing new
strategies. Countries such as Croatia, Latvia, Israel, the Czech Republic, Hungary, Lithuania and
Germany have put a great emphasis on information security, and thus have adopted laws that support
their strategies.
Year 2009 2010 2011 2012 2013 2014 2015 2016 2017
No. of strategies
adopted in that year 0 3 9 9 15 14 10 9 3
Total no. of strategies
adopted before the
next year
3 6 15 24 39 53 63 72 75
Table2. The number of states that have adopted cybersecurity strategies
Therefore, after a statistical analysis on the evolution strategies, the emerging conclusion is
that the period 2013-2014 is the lead in the adoption of national cybersecurity strategies according to
the data in table no. 2. The evolution of strategies adoption by states is an upward trend that can
continue in the future. In less than a decade, the number of strategies has grown considerably, which
implies a future continuity from the countries that have not yet implemented them and an
improvement from the countries that have already implemented them.
III. EDUCATION: One of the strategic cybersecurity objectives
There are listed a number of goals of the content strategy, starting from the first strategy of the
United States up to the present, including the goals on education which are seen not only a necessity
but also a long-term investment of the countries that are interested in building a strong cybersecurity.
Therefore, developing a culture of security in the area of education involves institutions,
academia, education providers and employers. Initiating and developing educational programs in
cybersecurity require two major stages, depending on levels of education.
The first stage is accomplished by establishing curricula for young people up to the age of 18
years, from primary to secondary school, aiming at discovering their skills and talents [7]. Therefore,
while formal educational activities are carried out in the classroom, non-formal activities are being
diversified by projects, after-school sessions or summer schools conducted by cybersecurity experts.
The second stage regards the undergraduate and postgraduate education that have a defining
role in the development of skills in order to obtain a certificate for a safe and reliable practice. At this
stage, the future cyber security profession is clearly outlined.
Currently, many countries have invested human and material resources to carry out educational
programs, as a feedback for the strategic objectives in terms of promoting and enhancing
cybersecurity. The aim of these programs consists into creating products for beneficiaries of the new
digital age.
Another important aspect of the strategy content is that through education the position of
science in information technology is extended and strengthens along with the expansion of university
programs.
For example, in Europe [8], the universities of 29 countries have introduced in their curriculum
the cybersecurity discipline. Thus, countries like Belgium, Spain, Cyprus, Ireland, Malta and the
Netherlands have adopted the option of distance learning where the classes take place online.
Introduction in Cybersecurity, Computer Science, Cybercrime Investigation, Online Course in
Cybersecurity are only some of the online cybersecurity courses.
Also, a thought model [9], represented in figure 1, consists of the following dimensions:
knowledge areas, crosscutting concepts, and disciplinary lenses.
56
Knowledge areas are intended for organizing cyber security context. Each area of knowledge is
structured in a flexible way depending on the requirements and consists of critical knowledge that
have a great importance in several computing disciplines.
Thus, the exploration of the connections between the areas of knowledge is performed through
the cross-disciplinary concepts, regardless of the disciplinary lens. They offer students an
organizational interleaving scheme for knowledge and strengthen the security mentality transmitted
through each knowledge area.
Disciplinary lens through its approach, depth of content and learning can develop the
cybersecurity program. The way of thinking includes the following disciplines: computer science,
computer engineering, information systems, information technology and software engineering. Thus,
the application of one of the transversal concepts may differ for the students that attend to certain
disciplinary lens, dependent on its objective.
The foundational requirements that support all of the curricular content include competencies
such as communication, analytical and problem-solving skills, numeracy, critical thinking, and
teamwork which are developed through general education. Along with technologica literacy and
ethical conduct, these requirements lead students to become contributing members of society.
In support of the states of the European Union, in 2016, ENISA launched the National Cyber
Security Strategies e-learning platform [10]. This platform is recommended for experts involved in the
process of creating or implementing a strategy at a national level.
The e-learning platform offers interactive training courses in order to facilitate the process of
designing a national cyber security strategy, implementing a national action plan, evaluating the cyber
security awareness after the end of the timeframe, raising awareness on cyber security topics and
offering advice to the public bodies that need to take over the initiative.
In fact, many organizations in the field have created e-learning platforms that provide courses to
strengthen the knowledge and skills of the beneficiaries. Most offer both general cyber security
solutions as well as particular cases depending on the requests. The achievements of a cyber security
e-learning platform involve three elements: infrastructure, content and services. Infrastructure consists
of a set of hardware and software resources that allow the user to access the necessary information.
Also, the content is the knowledge in electronic form that provides all the themes. Last but not least,
the services are represented by the curricula, the knowledge record, the beneficiary's capacity
management and the requirements that the platform needs to manage.
Therefore, e-learning specific to cyber security is found on the one hand in universities, such as
those of the abovementioned countries, and on the other hand in institutions, companies or other
entities which are usually in the field of information security. Thus, the platform of universities relies
more on general knowledge and tries to cover a larger range of themes than some companies or
institutes that are more focused on delivering particular solutions.
Another increasingly common variation is the involvement of several actors through
partnerships to form solid platforms in cyber security. Among these partners are aligned security
57
service developers, mobile operators, one or more universities, and beneficiaries. All of these e-
learning platforms in the field of cyber security have emerged from the needs of specialists. In this
sense, they meet the requirements of the beginner to advanced level. Depending on the objectives
proposed, e-learning platforms specific to cyber security can be defensive capability testing platforms,
information platforms, incident management platforms, and platforms that offer security solutions.
These include, for the most part, threats and cyberattacks, security alerts, data security and cyber
infrastructures, cyber security assurance programs, while complying with international security
standards, such as ISO/IEC 27001:2013 - Information technology, Security techniques, Information security management systems, Requirements [11]. The standard specifies the requirements for establishing,
implementing, maintaining and continually improving an information security management system
within the context of the organization. It also includes requirements for the assessment and treatment
of information security risks tailored to the needs of the organization. The requirements set out are
generic and are intended to be applicable to all organizations, regardless of type, size or nature.
In terms of e-learning specific standards, one of the most important standards is IEEE P1484 is
the model which was proposed by IEEE LTSC (IEEE Learning Technology Standards Committee)
[12]. This standard represents a data model for describing, referencing, and sharing competency
definitions, primarily in the context of online and distributed learning. This Standard provides a way to
represent formally the key characteristics of a competency, independently of its use in any particular
context. It enables interoperability among learning systems that deal with competency information by
providing a means for them to refer to common definitions with common meanings.
At the same time, cyberspace security, operating systems, software security, network security,
machine learning, advanced cryptography, risk management are among the most common disciplines
on platforms.
On the other hand, e-learning systems have the same characteristics and challenges as other
electronic services that require distribution of information. Moreover, this service involves Internet
access, service consumption and user payments, which recommends the implementation of cyber
security policies in the management of the system, based on cyber infrastructures security policies, the
human resource, and security risk management. The main threats of the e-learning systems are
software attacks, mostly denial of service, viruses and worms, followed by acts of theft and espionage,
infringement, copyright and piracy. Also, technical and human errors, hardware equipment failures,
quality of service deviations from service providers and technological obsolescence can be considered.
Through an effective policy and the competencies held, network administrators and
beneficiaries can maintain a solid security. The implementation of a new services, to meet the needs of
users, involves constantly updating security policies and continuing training of staff involved in
managing the system. The basic requirements related to confidentiality, integrity and availability must
be respected by all the staff involved, not just those responsible for security.
IV. CONCLUSIONS
The cyber-strategy has not only kept to the level of states, it has also been treated in terms of
collective defense by organizations such as NATO, EU, UN, SCO and BRICS. In this respect, various
institutions and centers of excellence are operational, with a growing number of specialists in the field.
It is also notable that all NATO member countries have adopted their own national cybernetic strategy,
with the exception of Greece, where it is under development and adoption. The European Union is an
active presence in the field of cybersecurity with a wide range of regulations and directives covering
the widest possible area of the digital space and focusing mainly on the protection of critical
infrastructures, by activity sectors. At the European Union level, the energy and transport sectors are
the critical infrastructures that need to be protected also from the attacks coming from the cyberspace.
Today's society reflects the increasing addiction to cyber infrastructure and strong
cybersecurity, which turned the cybersecurity into a discipline that consists of several subfields and
focused on the training of specialists.
58
Reference Text and Citations
[1] Reed, Thomas, 2005. At the Abyss, Ballantine Books. New York. Page132. [2] Plăvițu, D., 2011. Războiul cibernetic- de la posibilitate la realitate, Revista Infosfera, anul III, nr.2, București.
Pagina 5.
[3] Markoff, John. Before the Gunfire, The New York Times, found at http://www.nytimes.com/2008/08/13/ technology/13cyber.html, on 09.05.2017.
[4] https://www.kaspersky.com/about/press-releases/2010_kaspersky-lab-provides-its-insights-on-stuxnet-worm, accessed on the 4th June 2017.
[5] The National Strategy to Secure Cyberspace, 2003, found at https://www.us-cert.gov/sites/default/files/ publications/cyberspace_strategy.pdf, on 14.09.2017.
[6] https://ccdcoe.org/cyber-security-strategy-documents.html, accessed on 03.07.2017. [7] National Cyber Security Strategy 2016-2021, found at https://www.gov.uk/government/uploads/system/uploads
/attachment_data/file/567242/national_cyber_security_strategy_2016.pdf, on 18.01.2018.
[8] https://www.enisa.europa.eu/topics/cybersecurity-education/nis-in-education/universities, on 20.01.2018 [9] https://www.acm.org/binaries/content/assets/education/curricula-recommendations/csec2017.pdf, on 25.01.2018 [10] https://www.enisa.europa.eu/news/enisa-news/e-learning-platform-by-enisa-on-national-cyber-security-strategies,
on 25.01.2018
[11] https://www.iso.org/standard/54534.html, on 15.01.2018 [12] http://www.ieeeltsc.org/, on 15.01.2018
59
Reproduced with permission of copyright owner. Further reproduction prohibited without permission.
