Slovak Republic Cyber Readiness at a Glance

Home , Classified information, Crime in Slovakia, NOVA (Slovakia), Peter Pellegrini, Reserved

SLOVAK REPUBLIC CYBER READINESS AT A GLANCE

Melissa Hathaway, Francesca Spidalieri and Anushka Kaushik

April 2019

AC INST M IT O U T B T O E

Published by Potomac Institute for Policy Studies

Potomac Institute for Policy Studies 901 N. Stuart St, Suite 1200 Arlington, VA 22203 www.potomacinstitute.org Telephone: 703.525.0770; Fax: 703.525.0299

Email: [email protected]

Cover Art by Alex Taliesen.

Acknowledgements

The Potomac Institute for Policy Studies and the authors would like to thank Alex Taliesen for cover art and Sherry Loveless for editorial and design work. SLOVAK REPUBLIC CYBER READINESS AT A GLANCE

TABLE OF CONTENTS INTRODUCTION ...... 2 1 . NATIONAL STRATEGY ...... 9 . . 2 . INCIDENT RESPONSE ...... 16. . 3 . E-CRIME AND LAW ENFORCEMENT ...... 21 . 4 . INFORMATION SHARING ...... 24. . 5 . INVESTMENT IN RESEARCH AND DEVELOPMENT . . . . 26 6 . DIPLOMACY AND TRADE ...... 30. . 7 . DEFENSE AND CRISIS RESPONSE ...... 33 CRI 2 .0 BOTTOM LINE ...... 36 . . ENDNOTES ...... 37 . . ABOUT THE AUTHORS ...... 47 . . SLOVAK REPUBLIC CYBER READINESS AT A GLANCE

Country Population 5,440 million

Population Growth 0 17%.

GDP at market prices (current $US) $95,769 billion (ranked 64th in 2017)

GDP Growth 3 4%.

Year Internet Introduced 1992

National Cyber Security Strategy 2008, 2015

Internet Domain(s) .cs and .sk

Internet users per 100 users 81 .6

Fixed broadband subscriptions per 100 users 25 .8

Mobile cellular subscriptions per 100 users 130 7.

Information and Communications Technology (ICT) Development and Connectivity Standing

International Telecommunications World Economic Forum’s Union (ITU) 46 Networked Readiness Index (NRI) 47 ICT Development Index (IDI)

Sources: World Bank (2017), ITU (2017), and NRI (2016).

1 INTRODUCTION

In 1918 – after World War I and a long history Telecommunications in Bratislava.1 However, of conflicts and occupations by neighbors, most central planners still did not consider including Austria, Hungary, and Germany telecom services to be a genuine form of – Czechoslovakia became an independent production and did not invest in the under- country. Czechoslovakia was comprised of lying communication infrastructure.2 Instead, the Czechs and the Slovaks, two distinct com- investment was targeted at primary forms munities with their respective languages, of production, such as industrial enterprises. religions, cultures, and economic sources Telephone services served as a stable source of income/growth. During World War II, of revenue that was channeled to help fund Czechoslovakia suffered significant loss of the more valued entities contributing to the life and infrastructural damage until the Soviet country’s economic wellbeing. In particular, Army liberated them in 1945. In 1946, the the telephone service was used to subsi- country held national elections that ceded dize postal services, which operated at a power to the Czech’s leading political party. loss. Telephone tariffs were not related to Simultaneously, Czechoslovakia became a the cost of providing service. Charges for client state of the Soviet Union. For the next domestic calls were fairly low and charges four decades, they were under a one-party for international calls were extremely high. system and the influence of the Soviet Union The central government in power at that time as part of the Warsaw Pact. also imposed substantial social restrictions and actively worked to make communication The Czech side of the country was highly among people difficult in order to promote industrialized (e.g., automotive, machin- political stability and quell the ability to con- ery, metallurgy, textiles, etc.) and provided spire against the Communist Party. much of the technical talent and educational capacity to the region, including three main Therefore, the first Internet pioneers in the universities focused on math, science, and country had to overcome several operational, engineering. Whereas on the Slovak side of technical, political, and social limitations. In the country, the main sectors of the economy 1976, Czechoslovakia sponsored a state project, were agriculture and mining of raw materials called “Computer Network,” to enable the (e.g., gold, silver, copper, iron, and salt). transfer of information from one computer to another – effectively, trying to implement an During the communist period, Czechoslo- ARPANET (the experimental computer net- vakia’s telecommunications network was work that became the basis for the Internet). neglected. By 1960, the Soviets had cen- A group of researchers at the Institute of tralized the postal, telecommunication, and Applied Cybernetics (UAK) in Bratislava began transport bodies into a single Ministry of working on a number of related initiatives.3 Transport and Communications. The merger By 1986, the first intra-network became oper- was dysfunctional. In 1969, two ministries ational using 16-bit mini computers4 sold by were set up – the Ministry of Post Offices Digital Equipment Corporation. UAK was and Telecommunications in Prague and able to transfer data between three nodes the Ministry of Transport, Post Offices and in Bratislava and one in the city of Prague.

2 Later, researchers at UAK started experi- similar node. In 1990, UAK transitioned its menting with email services that used the node to the Comenius University in Bratislava Unix to Unix Copy (UUCP) protocol, but and became part of the European computer the network still had both operational and network (EUnet). Export restrictions on wide technical limitations. At that time, bandwidth area network (WAN) products were gradu- was still limited (only 10 telephone lines ally reduced, allowing the existing nodes in per every 100 people). This network was Bratislava and Prague to be connected to principally used for research and did not international networks.8 In the early 1990s, allow communication between individuals nearly every European country had a tele- or businesses.5 communications monopoly and in Czecho- slovakia it was SPT Praha (Sprava post a In November 1989, a series of demonstrations telekomunikaci Praha) under the Ministry of across the country, known by the Czechs as Posts and Telecommunications. The mar- the Velvet Revolution and by the Slovaks ket was still closed to other commercial and as the Gentle Revolution,6 showed peo- non-commercial telecommunications services. ple’s desire to end the one-party rule and But the European Community’s (EC) industrial embrace a market economy. Eventually, policy advocated for the diversification of the this led to the election of Czechoslovakia’s market from U.S.-dominated products and first multi-party government in June 1990. services and promoted the development of next-generation European network technol- During the period between 1989 and the ogies and protocols as well as incubating peaceful separation of Czechoslovakia into national “research” network operators (e.g., two independent countries in 1993, the SURFnet and DFN). adoption of ICTs and the development of commercial networks and email commu- Several academic institutions in Czecho nication started increasing. In 1989, UAK slovakia started receiving financial support had established one of the primary Internet and technical know-how from foreign part- nodes (Iac.cs) using BITNET (a computer ners. This was facilitated by the EU-funded network of universities, colleges, and other project, Trans-European Mobility Scheme academic institutions that was a predeces- for University Studies (TEMPUS), launched sor to the Internet) to enable email com- in 1991 with the goal of providing connec- munications.7 The University of Chemical tions between universities in the region. The Technology in Prague had established a project involved the sharing of expertise with universities in the hill town of Banska Bystrica in Central Slovakia and partners like UNI-C Lyngby in Denmark, the National Institute for In 1989, the Institute of Nuclear and High-Energy Physics (NIKHEF) Applied Cybernetics (UAK) in in Amsterdam, the National Technical Uni- Bratislava established one of versity in Athens, and the National Science Slovakia’s first Internet nodes. Foundation (NSF) in Washington D.C. The NSF, in particular, promoted connectivity among academic institutions to ARPANET.

3 In 1991, the Slovak Academic Network (SANET) The second challenge was supporting additional was established to formalize the coopera- projects to build networks in each country. tion among experts and scientists from UAK Despite sharing the same Internet history and EUnet, as well as users of those services and network development process up to that and representatives from a host of technical point, the Czech Republic was more success- universities in Bratislava, Zilina, and Banska ful in building on the work of its academics Bystrica. Their main goal was to create and and convincing its Ministry of Education to operate a backbone network for the Slovak allocate funding through large-scale govern- academic community, support its scientific, ment projects. Slovakia was much slower in technical, and organizational needs, and adopt implementing similar Internet connectivity international standards and rules consistent projects and less successful in obtaining gov- with the EC industrial policy goals. SANET ernment funds right after its independence. also helped foster cooperation with other The Slovak government struggled to define international academic organizations, includ- its path in the market economy and harness ing the Réseaux Associés pour la Recherche the value of Internet connectivity. Européenne (RARE), and actively participated in the establishment of the Central and Eastern In 1998, Prime Minister Mikuláš Dzurinda European Network (CEENET), which involved formed a coalition government and outlined academic partners from Hungary, the Czech progressive political and economic reforms Republic, and Poland.9 on the basis of a free market. His Cabinet successfully gained Slovakia’s entry into the The first official Internet connection with the Organisation for Economic Co-operation and outside world took place on 13 February Development (OECD) in 2000, and acces- 1992 and was followed by the establishment sion into the European Union (EU) and the of the Internet domain .cs soon after.10 North Atlantic Treaty Organization (NATO) in 2004.12 The accession into these import- On 31 December 1992, Czechoslovakia ant international organizations accelerated declared a self-determined split into the Slovakia’s development, connectivity, and Czech Republic and the Slovak Republic. economic growth. The reforms also helped The development of networks in the Czech attract foreign direct investments and inter- Republic and in Slovakia took different paths. national recognition. The first challenge was changing the Internet domain .cs into the two new domains .cz The Slovak government began supporting and .sk assigned to the two newly formed Internet uptake as a catalyst for economic republics. The change was not easy since the growth, more efficient government opera- .cs domain had been in use for over a year tions, increased competitiveness, and the and many email addresses in both countries development of an information society. In were jointly registered on it. It was decided 2001, the Ministry of Education launched the that all .cs servers would remain operational SANET.2 project to build out a high-speed for at least one more year, in parallel to the communication infrastructure to connect with respective initialization of the Slovak and other European communication networks and Czech domains.11 provide a more robust connectivity among university centers.13

4 As a result of the Republic” in 2001.17 This strategy declared increased demand the government’s strategic intent to develop for Internet services, an information society and become more the number of users connected. It was reiterated in the 2004 in Slovakia has grown “National Strategy for Information Society” exponentially, from and accompanying action plan with specific less than 10 percent in tasks and a timetable.18 2000, to 75 percent in 2010, to over 81 percent of the population Slovak Republic’s in 2017 (or almost 4.5 Internet Slovakia’s first “Information million users) – above Penetration: 81.6% Society Policy,” published in the EU average of 79 2001, declared the government’s percent.14 The availability of high-speed broadband connectivity remains lower than the strategic intent to develop EU average (32 percent versus 37 percent, an information society and respectively) because of insufficient invest- become more connected. ment in the fiber optic backbone topology. Whereas mobile broadband subscriptions have increased steadily to over 130 percent of the population in 2017, slightly above the The digitization projects in the consecutive EU average.15 national digital strategies have been consistent with EU expectations, but have also been dependent on EU funding for their success, The number of Internet especially in a fiscally-constrained environ- users in Slovakia has grown ment. The European Commission infused €1.2 billion (~$1.4 billion) to accelerate the exponentially, from less than 10% “Operational Programme Information Soci- in 2000 to over 81% in 2017. ety” (OPIS) for Slovakia for the 2007-2013 period.19 The program, under the EU Conver- gence Objective framework, had a number The ICT sector plays a very important role of initiatives, such as developing electronic in Slovakia, although it is predominantly services, digitizing academic libraries, and focused on manufacturing goods as opposed improving the availability of broadband Inter- to delivery of services. In 2010, the coun- net access. In addition, Slovakia has received try already had the 8th largest ICT sector in considerable financial resources from the EU Europe, which constituted 4.67 percent of Structural and Investment Funds to facili- Slovakia’s gross domestic product (GDP).16 tate cross-border interoperability, provide Slovakia’s digital progress was fostered by easier access to government data, expand the progressive reforms initiated by Prime the government cloud, and develop elec- Minister (PM) Dzurinda and further codi- tronic services for citizens and businesses. fied by the publication of the country’s first For example, in 2013, the Slovak Ministry “Information Society Policy of the Slovak of Interior announced that eID cards would

5 start being used to enable citizen access to Estonia requested emergency assistance from various e-government services within the EU NATO for the defense of its digital assets OPIS framework. Recently, the government and restoration of its citizen-facing services. announced its intentions to switch to mobile It requested assistance under Article 4 (i.e., IDs and provide one unique system of iden- information sharing and consultation) and tification for all e-governance, e-banking, wanted to activate Article 5 (i.e., collective e-health services. A new Digital Transforma- defense).22 This accelerated the cyber discus- tion Strategy is expected to be published sions in NATO and resulted in NATO’s first in May 2019. The projects proposed in this Policy on Cyber Defence that was published strategy are consistent with previous strat- in January 2008. In the summer of 2008, egies – focused on the “digital citizen” and offensive cyber techniques were demonstrated providing free access to high-quality public between Russia and Georgia – rendering Geor- services and healthcare.20 gia’s air defense ineffective. NATO members again realized that cyber activities were a The new digital strategy may also be able to growing component of warfare and that each address the shortfalls identified in the latest country needed to take active measures to EU assessment on the digital economy and increase its defensive posture and increase society of each of its member states. In that the resilience of its critical infrastructures. study, Slovakia’s progress in e-government Slovakia’s Ministry of Finance noticed and participation and the integration of digital took action, publishing the “National Strategy technology by Slovak businesses lagged for Information Security (NSIS) 2009-2013.” behind the EU average (Slovakia ranked 20th This first-of-its-kind document focused on an out of the 28 EU member states in the 2017 information security policy, with an outline European Commission Digital Economy and of the institutional and organizational struc- Society Index (DESI)).21 Slovakia is working to ture and long-term strategic objectives in the improve its ability to deliver e-services (Internet field of information security. This strategy’s use, digital skills development, e-commerce, development was an action item from the digital public services provision, etc.) and government’s 2008 National e-Government improve broadband coverage. The govern- Strategy noting the country’s need to protect ment continues to pursue demand-oriented cyberspace.23 It also emphasized the impor- projects, consistent with EU priorities that tance of harmonizing security policies among support the construction of last-mile connec- public administration authorities and aligning tions in places where the market fails and that them to EU and NATO’s security policy. use co-financing for broadband deployment from several EU programs.

Slovakia’s awareness of the threats to its digital The Slovak’s “National Strategy assets and society began in 2007. In April for Information Security” (NSIS), and May of 2007, Estonia – one of the most published in 2008, was a first- digitized nations in Europe – was knocked off line. Its citizen-facing services (e.g., e-banking of-its-kind document focused and government services) were disrupted by on information security. a distributed digital denial of service (DDoS).

6 The NSIS was an important first step in dis- (Národný bezpečnostný úrad, NBÚ). In March cussing information security policy at the 2016, the Slovak government approved a national level. The NSIS defined the country’s dedicated Statute of the National Security strategic goals in various sectors, including Authority, which officially elevated NBU to protecting critical information infrastructure be the national competent authority for (CII), raising awareness, building capabilities, cyber security.27 All these elements were developing a secure digital environment with codified in the Cybersecurity Act in Janu- technical, operational and strategic controls, ary 2018. The law gave the NBU additional providing effective management of informa- cyber security-related responsibilities and tion security, defending public administration assigned it to implement the strategy and information infrastructure, and engaging in update policies as required.28 national and international cooperation efforts. The progressive reforms of the early 2000s Cyber defense was introduced into NATO’s provided the basis for Slovakia’s digital econ- Defence Planning Process in April 2012. Each omy, and the call to action from NATO and Member was tasked to identify and prioritize the EU has sharpened Slovakia’s focus toward cyber defense as part of their national and cyber defense. The challenge, however, is that military planning processes.24 This requirement these two sets of goals are being executed was amplified by the EU with the publication by three separate entities. The digitization of the “EU Cyber Security Strategy” in Feb- of the country and the digital economic pri- ruary 2013. The EU strategy “outlines the orities (aligning Slovakia to the EU Single EU’s vision on how to enhance security in Digital Market) are led by the Office of the cyberspace and sets out the actions required, Deputy Prime Minister for Investments and including to drastically reduce cybercrime.”25 Informatization, whereas the cyber security Taking the broader European guidance into and cyber resilience priorities of the country account, Slovakia, in 2015, published a more are led by the NBU. The Slovak Military Intel- comprehensive national cyber security strat- ligence will assume responsibility in the event egy – the “Cyber Security Concept of the of a serious national-level cyber incident, Slovak Republic for 2015-2020” – with an and will respond using the capabilities of accompanying “Action Plan for the Imple- the Cyber Defense Center. It is unclear how mentation of the Cyber Security Concept of the country will align its initiatives to meet the Slovak Republic for 2015-2020.”26 Both the expectations of the international institu- the strategy and action plan acknowledged tions, and more importantly meet business the national security and economic risks of needs that comprise a growing portion of cyber insecurity. The documents delineated the country’s GDP. In order to attract foreign the roles and responsibilities of the different direct investment, Slovakia must promote its entities involved in national cyber security critical location in Central-Eastern Europe and and articulated strategic and operational its strong ICT sector. Its high connectivity, objectives to be implemented. In January coupled with its lack of preparedness and 2016, the responsibility for coordinating the insufficient use of the full capacity of the country’s cyber security efforts at the state government entities (whole-of-government level were transferred from the Ministry of approach), has made it one of the countries Finance to the National Security Authority in Europe that is most vulnerable to cyber

7 crime.29 Moreover, because of its role in both dependencies and vulnerabilities and launch the EU and NATO, it has become the target a concerted and coordinated effort across of state-sponsored espionage. In October national stakeholders to significantly reduce 2018, the Slovak Ministry of Foreign and Euro- cyber risk and move forward to ensure its pean Affairs was penetrated and information future safety, security, and economic wellbeing. on the country’s foreign policy and security intentions was illegally copied.30 While the The Cyber Readiness Index (CRI) 2.0 has been government claims to be addressing both employed to evaluate Slovakia’s current pre- the criminal and nation-state activity, it may paredness levels for cyber risks. This analysis be missing the nexus with other transnational provides an actionable blueprint for Slovakia to cyber activities. assess its commitment and maturity to closing the gap between its current cyber security Slovakia economically desires to reach the posture and the national capabilities needed same growth level of countries such as Hun- to support its digital future. A full assess- gary, Finland, Sweden, and Estonia, where the ment of the country’s cyber security-related digital economy already accounts for 5 to 5.5 efforts and capabilities based on the seven percent of their GDP, and gain an additional essential elements of the CRI 2.0 (national 2.3 percent in GDP growth from expanded strategy, incident response, e-crime and law broadband connectivity.31 It also looks to enforcement, information sharing, investment these countries and Austria for inspiration in R&D, diplomacy and trade, and defense on how to best align its policies to EU and and crisis response) follows: NATO’s strategic guidance. Slovakia needs to better understand its Internet-infrastructure

National Strategy

Defense & Crisis Incident Response Response

Cyber Ready Slovakia E-Crime & Law Diplomacy & Trade Enforcement

Cyber R&D Infor mat ion Sh ar ing

Slovak Republic Cyber Readiness Assessment (2019).

8 1 . NATIONAL STRATEGY

In 2016, the digital economy already accounted for 5.9 percent of Slovakia’s GDP or €4.8 billion out of €81.2 billion (~$5.4 billion out of In 2016, then-Deputy Prime ~$91.1 billion).32 Then-Deputy Prime Minister Minister for Investments for Investments and Informatization for Slovakia and Informatization Peter and today’s Prime Minister, Peter Pellegrini, Pellegrini recognized that the recognized that the digital transformation digital transformation offered offered Slovakia the chance to regain a leadership role in the region. He also acknowl- Slovakia the chance to regain a edged that Slovakia was lagging behind in leadership role in the region. ICT innovation, research, and development because the country had suffered insufficient investment under one-party rule. It was not until the reforms of the early 2000s that Slovakia strategy was followed by the 2004 “National began to rebuild its economy and create a Strategy for Information Society” and accom- business environment that might attract for- panying action plan. These two foundational eign investors.33 He conceded that Slovakia documents outlined priorities for telecom- needed capital infusion to enable a digital munications investments and to create the transformation and promote innovation. necessary technical skills to help society gain access to information and contribute to the Since 2001, Slovakia published several digital economy.37 The plan was evaluated national-level plans to promote the digiti- on an annual basis, yet progress against the zation of the country’s government services goals were limited likely due to inadequate and operations. These strategies were devel- funding. The government codified this strat- oped in line with EU priorities and goals egy into law and assigned the Ministry of set forth by many documents including: the Finance, in collaboration with the Govern- European Information Society for Growth and ment Plenipotentiary for Information Society, Employment (an initiative launched as part as the responsible entity for developing an of the 2000-2010 Lisbon Agenda,)34 various information society under the Prime Minis- iterations of the eEurope Plan of Action(s)35 ter (i.e., state administration) and creating and EU e-Government action plan(s), the 2010 a stable digital economy.38 Digital Agenda for Europe 2020, and finally the 2015 EU Digital Single Market Strategy. Over the next decade, Slovakia published a number of plans to advance the country’s In 2001 – before its accession to the EU in development. These initiatives, listed on the 2004 – the Slovak government adopted its following page, included beginning to invest first “Information Society Policy of the Slovak in broadband infrastructure, digitizing citi- Republic,” which declared the government’s zen-facing services, advancing digital literacy strategic intent to develop an information and inclusion, and promoting the need to society and become more connected.36 This protect data.

9 • The 2004 “Sustainable Development of ICTs, ensure safe and secure access to Action Plan for 2005-2010”; digital services, and expand e-governance processes in Slovakia. It had four key priorities: • The 2005 “Competitiveness Strategy for “encouraging economic growth, boosting the Slovak Republic until 2010” adopted competitiveness, enhancing economic with in direct response to the 2000 EU Lisbon a higher value added, and increasing effec- Strategy; tiveness of public administration.”45

• Two National Reform Programs (2006- It recognized that the digital economy already 2008 and 2008-2010);39 represented 4.6 percent of Slovakia’s GDP in the first half of 2012, making the digital • The 2008 “Information Society Strategy for economy outperform other sectors such as 2009-2013,” which built upon the experi- agriculture, banking, construction, and retail. ence of its predecessor while considering It also acknowledged that Slovakia’s digital the ongoing economic crisis that swept economy had a considerable potential for through Europe in the late 2000s;40 further growth to approach the level of such countries as Hungary, Finland, Sweden, and • The 2008 “National e-Government Strat- Estonia, where the digital economy already egy” and an ambitious national master accounted for 5 to 5.5 percent of their GDP, plan, which called for the development of and that broadband and productivity gains a national strategy for information security could contribute an additional 2.3 percent “with the aim of providing cyberspace to national GDP growth.46 protection” in Slovakia;41

• The 2008 “National Strategy of the Slovak Republic for Digital Integration”;42 The 2014 “Strategic Document for Digital Growth and • Two national broadband strategies (one for 2009-2013 and one for 2011 with no Next Generation Access expiration date); Infrastructure” acknowledged that Slovakia’s digital economy • The 2012 national “Operational Program had a considerable potential 43 Information Society.” for further growth.

In 2014, the Ministry of Finance released another national digital strategy – the “Strategic Document for Digital Growth and Next Gen- Moreover, the 2014 national digital strategy eration Access Infrastructure (2014-2020).”44 recognized the importance of increasing the This strategy built on the seven pillars of the security of electronic services and systems, 2010 Digital Agenda for Europe 2020 and its with an emphasis on protecting personal 2012 revised version. It identified priorities data and privacy, modernizing and pro- and specific actions to help foster wider use tecting critical infrastructure, developing

10 processes to handle security breaches, and knowledge-based society in Slovakia. A new aligning national strategies and policies with Digital Transformation Strategy is expected the 2013 EU “Cybersecurity Strategy along to be published in May 2019. The projects with the draft directive concerning network proposed in this strategy will likely build on and information security (NIS) submitted by previous strategies – focused on the “dig- the Commission. … The goal of the specific ital citizen” and providing free access to measures [was] to increase cyber resilience high-quality public services and healthcare.48 of information systems, reduce cyber crime, and reinforce cyber defense policy and capa- In announcing this new digital strategy, Deputy bilities” in line with the EU Common Security Prime Minister Raši emphasized that citizens and Defense Policy (CSDP).47 The document will also have increased transparency regard- also identified funding and resources for spe- ing how the government and private sector cific priorities, such as providing electronic are collecting and using their personal data. services for citizens and businesses, securing The document will outline the government’s the networks of the public administration, priorities to transition to mobile IDs and and expanding broadband connectivity, etc. migrate all services and platforms (banking, healthcare, social security, etc.) online. He Slovakia’s initiatives have been significantly reiterated the government’s motto “Jedenkrát dependent on the receipt of EU funding, a dost” (“Once is enough”), meaning all cit- especially in a fiscally-constrained environ- izens should only have to be identified with ment. Only 44 percent or € 2.3 billion (~$2.6 one digital ID to access all public services. As billion) of funding to implement the 2014 the country continues to become more digi- strategy came from the state budget. The rest tized, however, it must also mitigate the risks came through a combination of EU Structural resulting from its hyper-connectivity ensuring and Investment Funds, such as the Euro- that ICT systems do not suffer from breach, pean Regional Development Fund (ERDF), disruption, or destruction. and private funding and investments. This digital strategy has since served as the basis Slovakia became more focused on the need for subsequent initiatives aimed at digitiz- for cyber defense in 2008 as a result of the ing citizen-facing services and developing a incidents in Estonia and then Georgia. Its national leaders recognized the need to protect their digital environment by reducing the overall level of cyber security risk within Slovakia’s initiatives aimed at and across borders. After the publication of the 2008 e-Government strategy, which digitizing citizen-facing services had called for the development of a national and developing a knowledge- strategy for information security, the Ministry based society have been of Finance published the “National Strategy significantly dependent on for Information Security (NSIS) 2009-2013.” the receipt of EU funding. This first-of-its-kind document focused on an information security policy, with an outline of the institutional and organizational

11 structure and long-term strategic objectives directly aligned the NSIS to the EU’s relevant in the field of information security. At that documents as well to the interests articulated time, the Ministry of Finance served as the in OECD and NATO’s policies. The action national authority for information security plan and the “Report on the Performance of pertaining to all unclassified information in Tasks of the NSIS” set clear milestones and public administration and the general public. objectives for each initiative and assigned The Ministry of Finance was also responsible specific tasks to government agencies for for developing and implementing both the implementation. For example, the Ministry of digital and national cyber security strategies.49 Interior was assigned responsibility to man- Classified information protection, cryptographic age crises and protect CII. The Ministry of services, electronic signatures (expanded to Telecommunication continued its responsi- trust services in 2016), and cooperating with bility over Internet Service Providers (ISPs). foreign national security authorities and inter- The NBU continued its role in protecting national organizations were the responsibility classified information and managing digital of the National Security Authority (Národný certificates. The Ministry of Justice contin- ezpečnostný úrad, NBU).50 ued to apply existing laws and combat cyber crime. It also outlined a national governance roadmap for cyber security and stated that its initiatives would be financially supported by the EU OPIS program. From 2008 to 2015, the Ministry of Finance was the entity After the publication of the NSIS strategy, responsible for implementing Slovakia began reorganizing its institutional both the digital and national and organizational structures. It began to cyber security strategies. update laws and regulations to address the growing threat of cyber crime and increase capacity to address other cyber threats. Understanding that ISPs could and should undertake more responsibility in national The NSIS was an important first step in dis- defense, the country began to address the cussing information security policy at the regulatory shortfalls in the security of informa- national level. The NSIS defined the coun- tion and communication systems. Through its try’s strategic goals in a number of areas, national Computer and Emergency Response including: protecting CII, raising awareness Team (SK-CERT), Slovakia began building the and digital skills, developing secure digital capacity to implement measures to manage environments with technical, operational cyber incidents. and strategic controls, ensuring the security of and defending public administration In 2013, other national security entities began information infrastructures, and engaging in discussing the dangers of Slovakia’s cyber national and international cooperation efforts. insecurity. The Slovak Ministry of Defense The accompanying 2010 “Action Plan for (MoD) published its “White Paper on Defense 2009 to 2013 for the National Information of the Slovak Republic,”51 noting that Slova- Security Strategy of the Slovak Republic” kia must take the necessary steps to prevent

12 threats that could cause significant or irre- vakia had a critical assessment of its cyber coverable damage that could undermine the security posture and noted many shortfalls credibility of the state. The Security Council that the strategy intended to address. These of the Slovak Republic began adding the included “the field of cyber security in the topic of cyber threats to its annual reports Slovak Republic [was still] not integrally and on the security risks to the country. Even consistently regulated at a national strategic so, Slovakia recognized that its approach to level.”55 The document explains that “cyber cyber security was still fragmented. In 2015, threats [were still] not generally seen as a with the publication of the “Cyber Security sufficiently urgent problem,” and that the Concept of the Slovak Republic for 2015- country was still lacking a national framework 2020,” the government entities responsi- for “systematic, coordinated, and efficient ble for cyber security were reorganized yet collaboration” among its key stakeholders.56 again.52 In January 2016, NBU was elevated to become the national competent authority In 2016, the government released an “Action with the responsibility for managing national Plan for the Implementation of the Cyber cyber security.53 Security Concept of the Slovak Republic for 2015-2020.”57 The two documents taken together constitute a broader approach to cyber security “creating the conditions to build In 2016, after the publication up national cyber capabilities” and ensuring of the “Cyber Security Concept “adequate protection (and security) of state cyberspace from potential threats.”58 Both of the Slovak Republic,” NBU the strategy and action plan acknowledged was elevated to become the national security and economic risks of the national competent cyber insecurity. The common strategic goal authority for cyber security. was to “establish an open, secure, and protected national cyberspace.” The strategy laid out seven strategic areas to adequately address cyber risks and threats, including:

At the same time, the Committee for Cyber 1. Building of institutional framework for cyber Security54 was established within the Security security administration, which emphasizes Council of the Slovak Republic. Together, the establishment of a National Incident they confirm Slovakia’s national security Resolution Unit and several incident res- priorities including those related to cyber. olution units; These priorities, reflected in the 2015 strategy, also took into account Europe’s cyber 2. Creating and adopting a legal framework priorities as reflected by both the 2010 NATO for cyber security; Defence Strategy and the 2013 EU Cyber Security Strategy. Slovakia’s strategy also 3. Developing and applying basic mech- incorporated many of the requirements of anisms to secure the administration of the forthcoming EU Directive on Network cyberspace; and Information Security (NIS Directive). Slo-

13 4. Supporting, formulating, and adopting The implementation of the action plan was an education system in the area of cyber funded through EU operational programs, security; ministry funding programs, and the NBU budget, but exact allocations were unspeci- 5. Defining and adopting a risk manage- fied.62 NBU’s 2018 funding was €9.051 million ment culture and communication system (~$10.2 million) for the broad spectrum of between stakeholders; its existing missions including cyber security. It is unclear how the funds will be divided 6. Actively participating in international by mission area. cooperation; and The recommendations and action plan, as 7. Supporting cyber security science and well as the key components of the NIS Direc- research. tive, were codified in the 2018 Cybersecurity Act, which served as the foundation for “the The strategy also addressed the importance subsequent creation of regulations, stan- of cooperation with the private sector, espe- dards, methodical instructions, rules, security cially in regard to the development of a risk policies and other instruments necessary to management culture and information sharing provide for cyber security.”63 The law offi- framework. It noted the importance of collab- cially elevated the role of NBU (Articles 4 oration between its government ministries, and 5).64 NBU’s responsibilities for national public and private sectors, and national and cyber security now include:65 global institutions.59 It also called for the creation of a formal platform for collaboration • Assessing the effectiveness of the national and cooperation, especially on education cyber security strategy and, in cooper- and training. ation with the respective state authorities, producing an annual report on the The high-level goals in this strategy were further country’s state of cyber security that is detailed in its accompanying Action Plan.60 submitted for approval to the Committee Each task was assigned to the sector-specific for Cyber Security of the Security Council agency/ministry (e.g., interior, economy, (which functions as an advisory body to finance, and defense, and the National Inci- the Prime Minister);66 dent Resolution Unit) for implementation.61 Early successes of the plan include: assigning • Developing cyber security-related national NBU the mission for national cyber security; policies, regulations, standards, action establishing a National Cyber Security Inci- plans, and methodologies, and directing dent Response Team (National SK-CERT); and monitoring their implementation; implementing an alert, incident reporting, and information exchange system (i.e., the • Formulating incident response poli- Cybersecurity Single Information System); cies, plans, and procedures to handle promoting ad hoc legislation and regulations national-level cyber security incidents, in line with EU policies and other international issuing alerts and warnings about serious obligations; and establishing mechanisms cyber security incidents, accrediting incident for the protection of CII. resolution (CSIRT) units, and supervising their activities;

14 • Serving as the national point of contact Slovakia has made significant progress since (POC) for cyber security and defense the early 2000s to advance its digital econ- for foreign entities and ensuring coop- omy and shore up its cyber defense. From eration with the respective POCs at the 2008 up until the publication of the 2015 EU and NATO; national cyber security strategy, the Ministry of Finance was in charge of both the digital • Representing Slovakia in international fora agenda and small components of information dedicated to cyber security and coor- security. In 2015, the missions were sepa- dinating the execution of tasks to fulfill rated, and the country began a new focus international cooperation agreements; on cyber defense. Today, the Office of the Deputy Prime Minister for Investments and • Monitoring the national cyberspace by Informatization leads the digitization of the gathering, analyzing, and evaluating country and the economic priorities (aligning information on current and potential Slovakia to the EU Single Digital Market), cyber threats; whereas the NBU leads cyber security and cyber resilience. In the event of a major cyber • Administering and operating the Cyber- incident, the Military Intelligence will assume security Single Information System – the responsibility for defending the country. country’s national information sharing platform.

Chairman of the Government of the National Council of the Slovak Republic Slovak Republic (Prime Minister) (Parliament) Approves domestic legislation, Sets vision, strategy, and constitutional laws, military assesses security risks operations, and the annual budget. Security Council of the Slovak Republic Advisory body to the PM

Committee for Cyber Security

National Security Authority (NBÚ) Sets standards, operational procedures, and policies for cyber security including developing the Cyber Security Concept (national cyber security strategy)

Deputy Prime Minister for Investments and Informatization (Public administration sector) Ministry of Economy Ministry of Defense Other Ministries Develops, implements, and oversees the (Other sectors & sub- national digital investment strategies (Industry sectors) (Defense sector) and digitization processes sectors)

Special units responsible Sector & subsector Government CSIRT for incident response/ Industry CSIRT CSIRT.MIL.SK CERT/CSIRT(s) handling

Figure 1: Slovakia Cyber Security Organizational Chart.

15 It is unclear how Slovakia is aligning its short responsibility, and successfully achieving each and long-term priorities for the country. Effec- milestone will begin to establish credibility tive risk management requires the country’s and foster confidence in Slovakia’s ability leadership to understand what it values most, to defend its digital future. As international outline what is most important to protect institutions, businesses, investors, and citi- (e.g., companies, services, infrastructures, zens gain their confidence, Slovakia will likely and assets), and demonstrate that it is will- see the much-needed infusion of capital to ing to invest the political capital, executive continue to accelerate its economic growth time, money, and resources needed for this and innovation. protection. Slovakia continues to enumerate economic and security aspirations without 2 . INCIDENT RESPONSE clearly ensuring that they build on each other and can mutually be realized (operational- The 2018 Cybersecurity Act detailed the ized). It is unclear if both the economic and processes and competent bodies respon- national security considerations are addressed sible for cyber security incident handling, in the Security Council – or even in the Prime but Slovakia does not have a consolidated, Minister’s (state administration) office. single national incident response plan. The 2018 law assigned NBU the overall respon- Slovakia is already one of the more vulnerable sibility for handling domestic cyber security countries to cyber crime in Europe. Moreover, incidents, coordinating response activities because of its role in both the EU and NATO, at the national level, producing reports on it has become the target of state-sponsored cyber security incidents, issuing alerts and espionage. NBU must champion the cyber warnings about serious cyber security inci- security and resilience considerations as part dents (through the Cybersecurity Single of the country’s planning process. Slovakia Information System), and cooperating with cannot afford to slip in the execution of its international organization and authorities to 2015 national cyber security strategy’s risk handle cross-border cyber security incidents. reduction measures. Different entities are operationally responsible, including the national Computer and Slovakia has set high expectations for itself, Emergency Response Team (SK-CERT, under including ensuring that its digital economy NBU), the government CSIRT unit (under grows to the proportions of northern Euro- the Office of the Deputy Prime Minister for pean countries (e.g., Sweden). There are also growing expectations from international institutions that it will commit to and meet the The 2018 Cybersecurity Act requirements set forth by the EU, NATO, and OECD. Communicating what is at stake and assigned NBU the overall improving overall risk awareness is important responsibility for handling at every level – from government leaders to domestic cyber security incidents every citizen. NBU will have to put cyber security and coordinating response in context by explaining why each initiative activities at the national level. will help reduce economic and societal risk. Establishing clear lines of accountability and

16 Investments and Informatization), the industry Assessing the severity and impact of malicious CSIRT under the Ministry of Economy, and cyber activity on individuals and organizations the CSIRT.MIL.SK (under the Military Intel- in Slovakia has been somewhat difficult in ligence of the Slovak Republic within the the past because of the lack of official sta- MoD). NBU is also tasked with establishing tistics outside of the public sector and the preventive measures to prevent and mitigate propensity of victims not to report incidents cyber incidents before they occur.67 or notify authorities. According to several studies and data collected by EU agencies, Moreover, the 2018 Cybersecurity Act (Arti- Slovakia is one of the countries most vul- cle 27) clarified the mission and tasks of the nerable to cyber crime in the EU, along with Cybersecurity Single Information System.68 Malta, Greece, Spain, and Lithuania.69 In 2018, This system is a platform intended to man- SK-CERT reported around 1,500 denial of age, coordinate, and inspect the activities service attacks and 5,000 cases of malware of state administrations and CSIRT units in in the country.70 the field of cyber security. It is administered and operated by NBU and is not fully oper- SK-CERT, as it is known today, was established ational yet. This platform will also gather, in 2016 under NBU.71 However, Slovakia has process, and evaluate information so that had a national CSIRT-type unit since at least the state of cyber security in Slovakia can 2009, when it established the Cyber Pro- be assessed. Operators of essential services tection Department of Information Security and digital service providers are required to and Electronic Signature within the NBU’s report cyber security incidents via this sys- organizational structure. This department tem. In the event of a serious cyber security included a Department of Computer Security incident, NBU can issue urgent alerts both and Incident Response, which was renamed through the Cybersecurity Single Information the Computer Security Incident Response System, the mass media, and the Central Center (CS-CSIRC) in 2011.72 CS-CSIRC also Portal of Public Administration. NBU then served as the national POC for the NATO decides which CSIRT unit and/or operator of Cyber Protection and the European Warning essential service or provider of digital service System, NSIAM (which expired on July 1, is responsible for handling the actual incident 2017). The unit kept developing its operational and directs specific reactive measures to be activities and, in 2014, NBU established a carried out by those entities. If NBU exhausts Security and Operational Monitoring Cen- all manners of handling a serious cyber inci- ter (SK-CSIRC) and expanded its activities dent, it must then submit information about to include “the role of guarantor for cyber the perceived impacts of the event on the security in the National Security Analytical security of the country to the government’s Center.” In 2016, NBU established a new Security Council as part of the procedure specialized national unit SK-CERT. The original for crisis situation handling. Depending on CS-CSIRC unit has dissolved by incorporation how grave the threat is, NBU will contact into SK-CERT. and inform the Military Intelligence.

17 Figure 2: Evolution of national CSIRT-type unit in Slovakia.

Today, SK-CERT is responsible for a series of • Conducting regular analysis and assess- proactive, reactive, and educational services, ments of incidents, vulnerabilities, mal- including the following: ware, and threats at the national level;

• Monitoring adherence to security stan- • Promoting cyber security awareness by dards in public administration informa- publishing articles, promoting best prac- tion systems and determines the status tices, providing advice and delivering of security; recommendations;

• Providing services associated with the • Serving as an active member of the Forum actual handling of incidents for their con- of Incident Response and Security Teams stituency and different levels of support (FIRST) and shares information with national depending on the type and severity of and international partners; and a particular event; • Offering cyber security education and • Coordinating national security incident training.73 resolution and restoration of information systems in cooperation with the owners and operators of the systems concerned; The national SK-CERT is • Issuing security bulletins and alerts contain- responsible for a series of ing information on cyber threats, product proactive, reactive, and vulnerabilities, cyber security incidents, educational services. and other cyber-related information;

18 With the passage of the Cybersecurity Act The obligations for providers of CII services in 2018, NBU was officially defined as “the were codified in the 2018 Cybersecurity Act, National CSIRT Unit,” in line with the require- as required by the NIS Directive. Slovakia ments of the 2013 EU strategy for “An Open, created a national registry and each key Safe and Secure Cyberspace” and subsequent operator or provider is entered in the register EU Cyber Security Directive. However, the along with the competent authority respon- specific tasks of a national CSIRT continue sible for overseeing them. Articles 8, 24, to be performed by SK-CERT. It now has and 25 of the 2018 Cybersecurity Act detail a broader mandate and must perform the duties and responsibilities of operators of following tasks: essential services and digital service providers, and rules and obligations for reporting • Fulfill notification and reporting obliga- and responding to specific cyber security tions to the competent authorities of the incidents.76 They use the Cybersecurity Sin- EU and NATO; gle Information System to report, manage, and share information, receive alerts and • Cooperate with central authorities, other warnings, and when required, coordinate state administration bodies, CSIRT units, cyber security incident response.77 There basic service providers, digital service is a non-public, invitation-only part of the providers, and international partners; platform reserved exclusively to operators of essential services and providers of digital • Impose specific obligations over service services that is accessed by government providers and digital service providers agencies including accredited CSIRT units, to react in the event of an incident and the National Bank of Slovakia, the Office for approve the provider’s security measures; Personal Data Protection, and other government entities upon approval of the NBU. • Receive national and international reports on cyber security incidents and cooper- In addition, there is a public administration ate with international organizations and CSIRT that was created under the Ministry authorities of other states in handling of Finance in 2009. In 2016, it was transi- transnational cyber incidents.74 tioned to the Office of the Deputy Prime Minister for Investments and Informatization The 2015 national cyber security strategy did and was renamed to government CSIRT not identify the country’s critical infrastruc- unit (CSIRT.SK).78 This unit is responsible for tures, services, assets, or companies. After handling cyber security incidents in public the publication of the 2016 NIS Directive, administration information systems and for Slovakia was required to identify the critical providing preventive and reactive services, providers in the following categories: bank- including the publication of monthly reports ing, transportation, digital infrastructure, of cyber security incidents in Slovakia and energy, financial services, postal services, around the world. electronic communications, healthcare, and public administration.75

19 In September 2018, the Deputy Prime Min- ing compliance by both governmental and ister’s Office announced a new project – the non-governmental entities with all Slova- “National System for Cyber Security Inci- kian data protection and privacy laws. It has dent Management in the Public Adminis- the authority to summon data controllers tration.” It was proposed in cooperation or processors to investigate alleged legal with the National Agency for Network and infringement of data protection obligations Electronic Services (NASES), the Slovak and can force organizations to release the Information Service, and NBU. The project information concerning the breach of pro- received €45 million (~$51 million) first to tection of personal data.81 It also acts as the focus on the security of the government’s national regulator for the implementation operations and then to concentrate work of the EU General Data Protection Regu- on other national priorities. The money will lation (GDPR) requirements. The Office is be used to build out a government’s Secu- one of the five competent authorities that rity Operation Center (SOC) and create a can access information in real time via the department for IT auditing within the DPM Cybersecurity Single Information System. Cybersecurity Division. It will also be used to help the government CSIRT.SK implement Finally, SK-CERT has conducted national preventive measures to thwart security inci- cyber security exercises – mostly focused on dents.79 The new government SOC, audit technical aspects – in 2011 and 2013 (Slovak team, governance, and CSIRT.SK will be Information Security Exercise) organized in staffed with about 60-70 employees. cooperation with the Ministry of Finance and aimed at critical infrastructure protec- Within public administration, the Deputy tion.82 Both the government CSIRT.SK and Prime Minister’s Office is also transitioning the national SK-CERT regularly participate to electronic means of communication across in multi-national cyber security exercises all departments as well as standardizing organized by the EU (e.g., Cyber Europe), Service-Level Agreements (SLAs) and con- NATO (e.g., Cyber Coalition), the NATO tracts to move toward better IT governance.80 Cooperative Cyber Defence Centre of Excel- As the country continues to become more lence (CCD CoE) (e.g., Locked Shields), the digitized, however, it must also understand EU Agency for Cybersecurity (ENISA) (e.g., that its hyper-connectivity may lead to ICT CyberSOPEX), and many others.83 system breakdowns and breaches of confi- dentiality, accessibility, and data integrity. Slovakia is improving its capability to detect, Slovakia has yet to develop a plan for the repel, and contain sophisticated threats to potential degradation of its various national its networked infrastructures and services. digital services and especially its eID system, The NBU is beginning to field the latest which will soon become the mobile ID system. technologies to improve the country’s situation awareness of emerging threats. Finally, In 2002, in line with EU data protection Slovakia has just begun to develop the requirements, Slovakia established a Data necessary national capabilities to increase Protection Authority – the Office for Personal its preparedness by conducting continu- Data Protection. This office is an indepen- ity planning and response preparation for dent state authority tasked with supervis- large-scale cyber crises.

20 3 . E-CRIME AND LAW probably due to the fact that several studies ENFORCEMENT have ranked Slovakia as one of the most vulnerable countries to cyber crime in the In 2005, Slovakia signed – and in 2008 rat- EU, along with Malta, Greece, Spain, and ified – the Council of Europe Convention Lithuania.85 on Cybercrime (commonly known as the “Budapest Convention”). While Slovakia In order to meet EU expectations, Slovakia has amended and strengthened its domestic has transposed the 2013 EU Parliament and legislation and regulations to include com- EU Council “Directive on Attacks against puter crimes, “cyber crime is not treated by Information Systems” and extended the legal law as a special category of crimes, which regulation under its Penal Code to identify is also why statistics on cyber crime cases a wider complex of cyber crime acts. It has are not fully available.”84 The term “cyber also made the legal regulation of criminal crime” has not been explicitly defined in liability of legal entities more precise under a the Slovak Penal Code or in a similar nor- separate law.86 Collecting statistics on com- mative legal act. However, the Penal Code puter crimes and e-crime remains cumber- does recognize and stipulate the facts of some. Statistics in the Prosecution Service individual criminal offense for “unauthorized are compiled separately from the statistics of access to” or “unauthorized intervention in” the Police Force, Slovak courts, SK-CSIRT, or computer systems or computer data, or for the private sector, and there is no common using, procuring, or possessing a computer database to show all the criminal offenses to commit a criminal offense. Taken together, related to computer crime. However, efforts these provisions form the normative frame- have been made to upgrade the accuracy work on cyber crime in Slovakia. and interoperability of relevant public data- bases and to use a common taxonomy as suggested by the EU as a basis to collect data on cyber crime. In 2005, Slovakia signed – and in 2008 ratified – In 2014, the Constitutional Court of Slo- vakia issued a resolution that included a the Council of Europe non-preservation of data clause, which had a Convention on Cybercrime. negative impact on the detection, investigation, and prosecution of computer crimes in the Slovak Republic. It also slowed cross-border law enforcement exchange of information The methods to combat cyber crime have because there was no requirement to report also been incorporated in other strategies incidents or retain data. This, in turn, also and action plans, such as the “Strategy on hampered international legal assistance in the Prevention of Crime and Other Antiso- some cyber crime cases.87 In that same year, cial Activities in the Slovak Republic for the Slovak prosecutorial authorities had to develop years 2012-2015.” This strategy stated that a special process with the U.S. authorities to the seriousness of cyber crime and incident request expedited preservation of computer rate reduction was a national priority. This is

21 data and accelerate cooperation. In 2017, the Use of Internet” call for proposals to set up law on data protection was amended mak- this specialized cyber crime unit and to fulfill ing incident reporting mandatory for certain the objectives laid out in the Slovak Police categories of businesses (in line with the NIS Strategy for the 2014-2020 programming Directive) and allowing for the processing of period.90 The objectives included setting up personal data for the purposes of prevention, an integrated national system for reporting investigation, detection or prosecution of and monitoring illegal content on the Inter- criminal offenses.88 net, modernizing methods and tools, and procuring technical equipment for detecting The Slovak data retention law was also updated and investigating computer security related in line with the EU Data Retention Directives to criminal activity. The strategy also calls for (DRD). The law requires ISPs and telecom the development and implementation of new companies to retain users’ data for a certain programs for police training and education period of time. This data must be accessible in the field of prevention and fight against by law enforcement authorities to combat crime, with an emphasis on radicalism and crime, terrorism, and other domestic issues. terrorism in connection with cyber crime. Slovakia now requires ISPs and telecom services to keep a check on the communications of The Cybercrime Unit has been growing in all citizens – even those citizens who are not terms of capacity and missions since 2015 suspected or convicted of a crime – and law and it supports local authorities in their enforcement officials can demand access to investigations of cyber crimes by promoting the data for any reason. Moreover, in line with exchange of information, monitoring illegal European requirements, ISPs are expected activities on the Internet, ensuring the col- to store data of other service providers, data lection of lessons learned from casework, locations, and six months of communication and facilitating training in this field. How- parties’ data in cases of email, Internet, and ever, Slovakia has generally lagged behind voice over IP (VoIP) communication, or one other EU countries in the establishment of year of information for other communications.89 specific training and capacity building pro- Critics fear that these measures violate privacy, grams for enabling court judges, prosecutors, data protection, and freedom of expression lawyers, law enforcement officials, forensics in Slovakia. specialists, and other investigators to better fight cyber crime. The 2016 Action Plan that While Slovakia has not established special- accompanied the 2015 national cyber security ized units in the Police or Prosecution Ser- strategy emphasized the need to strengthen vice dedicated specifically to carrying out education in the area of information and investigations or prosecutions of cyber crime, cyber security within judicial authorities, and it did set up a Cybercrime Unit within the proposed the introduction of a minimum Criminal Police Bureau at the Presidium of level of education for all judges and prose- the Police Force in 2015. The unit is respon- cutors at all levels.91 More recently, Slovak sible for criminal intelligence activities. In authorities have launched various training and addition, the Ministry of Interior received capacity building activities for practitioners, over €220,000 (~$246,960) from the Euro- which are organized by various academies. pean Commission under the 2013 “Illegal They have also put forward different efforts

22 to prevent and raise awareness about cyber cyber crime capacity building in the country, crime, including supporting the activities of and developed a competency framework to the non-profit organizatione -Slovensko that deliver additional educational programs to operates the Slovak Awareness Center under Slovakian law enforcement personnel. the EU Safer Internet Programme. E-Slovensko’s goal is to raise awareness about cyber secu- Slovakia cooperates closely with the European rity among the public, especially children Cybercrime Centre (EC3) and Europol, and and youth, in order to teach them how to has an Interpol national bureau operating behave responsibly when using new online from Bratislava that serves as a 24x7 contact technologies. The Slovak Awareness Cen- point, as per the provisions of the Budapest ter performs various activities, hosts social Convention. The General Prosecutor’s office events, and produces promotional materials and the International Law Department within to raise awareness about safer use of online the Ministry of Justice regularly send their technologies.92 representatives to the European Judicial Cybercrime Network, including the kick-off meeting held in 2016. They also take part in other initiatives promoted by the Coun- The e-Slovensko’s mission is to cil of Europe on Criminal Justice in Cyber- raise awareness about cyber space and the Organisation for Security and security among the public, Co-operation in Europe (OSCE). especially children and youth. Despite recent efforts to reduce the rate and risk of computer-related crimes, Slovakia continues to be plagued by higher cyber crime activities than most of its neighbors. This is In 2014, the Slovak Ministry of Interior launched caused by a combination of lack of aware- a project in collaboration with the University ness of the threats to the country’s digital College in Dublin (UCD) and e-Slovensko infrastructures and services, an inadequate to support capacity building efforts and investment to provision secure and resilient to deliver effective and appropriate cyber products and services, and a high rate of crime training programs for Slovakian law infection of Slovakia’s digital devices and enforcement personnel.93 The project was infrastructures. These infections and intru- co-funded by the EU Prevention of and Fight sions enable illicit and illegal activities. Slo- against Crime Programme. As part of this vakia’s maturity and commitment to reduc- project, UCD organized a number of study ing criminal activities that affect the country visits for various representatives of the Slova- and to combating transnational crime need kian Police and delivered specialized training acceleration. In order to bring the country in for professionals, investigators, and techni- line with European and global expectations cal experts. It also produced a report that and to meet the needs of a healthy digital reviewed current provisions for law enforcement economy, Slovakia may need to increase training in digital forensics and cyber crime its efforts with law enforcement agencies, investigations, identified best practices in ISPs, and international partners to reduce these areas, provided recommendations for the pathways for cyber crime.

23 4 . INFORMATION SHARING early warning system promises the “timely exchange of information on the threats, cyber As stated in the 2015 national cyber security security incidents, and risks related thereto” strategy and its action plan, Slovakia recog- between NBU and other entities involved in nizes that an efficient and secure system for incident response handling.96 Depending the exchange of information between the on the urgency of a cyber incident or threat public and private sectors, as well as with warning, NBU can issue alerts both through other relevant actors in the national cyber- the Cybersecurity Single Information System space, is necessary to ensure the protection and the mass media, and on the Central of cyberspace.94 The action plan included Portal of Public Administration (Article 27). practical recommendations to create an effective, national-level model of cooperation The system consists of public-facing and among relevant entities within the national non-public parts and access is free of charge. cyber security architecture, and to imple- The public section contains a registry of ment a system for reporting, responding to, competent bodies, operators of essential and exchanging relevant information about services, and providers of digital service. It cyber security incidents. These recommen- also includes a repository of cyber security dations resulted in the development of the incidents, the list of accredited CSIRT units, Cybersecurity Single Information System. alerts and warnings, and other information In 2018, with the passage of the Cybersecurity for minimizing, averting, and remedying the Act, Slovakia formally established the Cyber- consequences of a cyber security incident. security Single Information System (Article As well, it contains methodologies, guide- 8).95 The Cybersecurity Single Information lines, standards, policies, and announce- System is administered and operated by ments pertaining to industry and country NBU, the entity responsible for incident best practices. The 2018 Cybersecurity Act response coordination and information specifies who qualifies for inclusion in the sharing during crisis and emergencies, as register of service providers or operators well as other functions. This online platform (e.g., banking, transportation, digital infra- “ensures systematic gathering, concentrating, structure, energy, financial services, postal analyzing, and evaluating of cyber security services, key areas of industry, electronic incidents information,” while the central communications, healthcare, and public administration).97 Each key operator or provider of the individual sectors is entered in the register along with the competent The Cybersecurity Single authority responsible for their oversight. Information System facilitates The non-public part of the Cybersecurity Single the collection, evaluation, and Information System can be accessed directly exchange of information. in electronic form in real time, and is reserved to specific bodies within the government, accredited CSIRT units, operators of essen-

24 tial services, providers of digital services, agencies. It regularly performs penetration the National Bank of Slovakia, the Office for tests with the involvement of other public Personal Data Protection, and other public and private sector entities. In addition, it is administration authorities as determined by the central contact point for other Public the NBU. Administrations’ European-level CSIRTs for the exchange of information and agreed As mentioned in the incident response sec- upon procedures. tion, SK-CERT plays an important role in information sharing. It actively cooperates Slovakia is also a key member of the Central with other national and foreign CSIRTs and European Cyber Security Platform (CECSP), is a member of two important organizations, which plays a role in facilitating information Trusted Introducer and FIRST. These orga- exchange among the Visegrad (V4) countries nizations are particularly important for the (i.e., Czech Republic, Hungary, Poland, and sharing of information among recognized Slovakia) and Austria. CECSP was established CSIRTs around the world as well as other in 2013 by the Czech Republic and Austria, security teams. Membership to these orga- and consists of representatives of govern- nizations is based on trust and professional ment, national, and military CSIRT teams along cyber security ethics, which have a significant with the representatives of national security impact on receiving relevant cyber security authorities. Slovakia is represented in the information and exchanging experiences CECSP by NBU. The aim of the platform is around the world. SK-CERT also publishes to foster cooperation among neighboring monthly reports with information on cyber countries in the area of cyber security, espe- threats, product vulnerabilities, cyber secu- cially to promote the exchange of information; rity incidents, and other cyber-related infor- share tactics, techniques, and procedures for mation. In addition, SK-CERT participates handling cyber threats; and work together in the information exchange project called to prevent future cyber attacks. the “CyberExchange.” It was launched in 2018 by the Czech CSIRT team and co-fi- Finally, Slovakia participates in the NATO’s nanced by the EU Connecting Europe Facility Malware Information Sharing Platform (MISP) (CEF) as a reaction to the increase in cyber and collaborates with its Alliance members security threats and the need for cross-bor- in the areas of cyber defense, cross-border der defense cooperation. It is intended to cyber security incidents, and the exchange strengthen mutual cooperation of national of technical information on threats and and government CSIRTs/CERTs and grow vulnerabilities. the expertise of their respective staff members. Security teams from Austria, Croatia, Slovakia is beginning to promote its critical the Czech Republic, Greece, Latvia, Luxem- location in Central-Eastern Europe and its bourg, Malta, Poland, Romania, and Slovakia strong ICT sector. Yet, its high connectivity participate in the CyberExchange. coupled with its lack of preparedness has made it an attractive target for cyber crime Under the Office of the Deputy Prime Minis- and state-sponsored espionage. Slovakia’s ter, the government CSIRT.SK provides cyber businesses and critical services need action- information and alerts to other government able information and advice to help shore

25 up their defenses and increase resilience. not clearly state how the government would The CECSP can be an excellent platform to support, advance, and sustain these efforts. facilitate information sharing and increase situational awareness and resilience. It will The Slovak system of innovation ranks below be important to ensure that the necessary the EU average and support for R&D is the incentives are in place to accelerate the timely lowest among the Visegrad Group (i.e., Czech and actionable exchange of data. Republic, Hungary, Poland and Slovakia).101 In comparison, the total share of R&D investment 5 . INVESTMENT IN RESEARCH in GDP in the Czech Republic was more than AND DEVELOPMENT twice that of Slovakia in 2017 (1.8 percent vs. 0.9 percent).102 Corporate funds account While Slovakia does not have an officially for only a quarter of the total Slovak fund- recognized national or sector-specific research ing for R&D and the country is still mostly and development (R&D) program dedicated dependent on EU money to fund R&D proj- to cyber security or advanced technology ects, education, and training programs. In development, the 2015 national cyber secu- 2015, Slovakia was the fifth biggest recipient rity strategy stated a clear intent to support of EU funding for government and higher cyber security R&D and innovation.98 It also education R&D, benefitting from over €470 focused on the need to incorporate cyber million (~$528 million).103 In 2014, Slovakia security education at the primary and second- received €2.2 billion (~$2.5 billion) from the ary educational levels; develop specialized European Structural and Investment Fund educational systems for secondary schools, (ESIF) to implement the Horizon 2020 pri- universities, and professionals; and create orities and country-specific recommenda- an internal market for cyber security prod- tions for policy reforms under the European ucts and services.99 The 2015 strategy and Semester in education, employment, and many of the national digital plans have also social inclusion. emphasized the need to raise cyber security knowledge and awareness and develop digital The EU funds are allocated through a series literacy and skills among the public. The 2016 of programs, including the Operational Pro- Action Plan tasked the National Agency for gramme for Research and Innovation (OPVaI), Network and Electronic Services (NASES), the the Human Resources Operational Programme, Ministry of Education, Science, Research and the Youth Unemployment Initiative (YEI), and Sport, and NBU with additional measures. the 2014-2020 ERDF. In particular, OPVaI These included: building new specialized intends to boost competitiveness of small and workplaces to better protect the country’s medium-sized enterprises, support sustainable major information assets; supporting the economic growth, and promote research and development of knowledge and know-how innovation. This program supports R&D in a in cyber security science and research; and variety of fields as part of the EU 2014-2020 creating forensic labs to collect and evaluate Intelligent Specialization Strategy. In Slovakia, digital evidence and conduct analytical activ- these fields include environmental issues, ities during responses to security incidents or technological development and innovation, attacks.100 However, all these strategies did research in science and technology (S&T),

26 and the promotion of increased efficiency labor force works in the private sector).107 and performance of the R&D system.104 The Given the importance of the manufacturing Slovak Ministry of Education, Science, Research sector in Slovakia – which commands some and Sports, in collaboration with the Ministry of the highest manufacturing’s employment of Labor, manages all EU funds, including shares in the EU – workers need to be trained OPVaI. However, by the end of January 2018, to make sure they remain employable in an Slovakia had only spent 4 percent of the €2.2 increasingly digital workplace. To respond billion it received from the OPVaI and other to this need, in 2016 the Slovak Ministry EU programs.105 of Economy established the Smart Industry Initiative for Slovakia. This initiative supports In recent years, the Slovak Ministry of Edu- digital transformation in a variety of areas, cation, Science, Research and Sport, estab- including developing smart factories and lished a Scientific Grant Agency, called VEGA manufacturing; raising awareness and collab- (Vedecká Grantová Agentúra), in partnership oration; promoting research; and providing with the presidium of the Slovak Academy access to finance, labor market, and edu- of Sciences (SAS), to serve as an advisory cation, etc.108 The Smart Industry Initiative body for the implementation of S&T policies, was inspired by similar German and Dutch financing of basic research, and evaluation initiatives and emphasizes R&D cooperation of research projects.106 VEGA is dedicated to with industry and the deployment of more selecting projects from institutional finance advanced technologies like Internet of Things resources under two sub-chapters of the state (IoT) throughout the economy. Key stakehold- budget: university-based S&T research and ers from government, industry, academia, SAS. Its average annual budget is €14 million and the technical community participate in (~15.7 million). the Smart Industry Platform. Funds for this initiative, however, remain limited and mostly The ICT sector plays an important role in the dependent on existing industry funding pools Slovak economy and employment in this sector and the EU funds.109 has grown exponentially between 2008 and 2017 (47 percent increase). In 2018, the ICT While the government has not developed a sector contributed to 4.6 percent of Slovakia’s unified program or set of incentives to encour- GDP and employed about 3 percent of the age cyber security education and applied overall labor force (about 24 percent of the research at universities and academic institutions, it does support and fund all public universities and national laboratories – some of which have developed their own research Slovakia has the highest projects in this field. In particular, the Cyber manufacturing’s employment Security Lab at the Pavol Jozef Šafárik Univer- shares in the EU – underscoring sity focuses on network intrusion detection, the need to train and retain honeypots, and privacy issues; the Department a digital workforce. of Computers and Informatics at the Technical University in Košice has an ongoing collaboration with Siemens, IBM, and Microsoft; and

27 the Faculty of Informatics and Information ICT students, equip IT laboratories at schools, Technologies of the Slovak Technical Univer- and set up new IT-related educational pro- sity (STU) has recently launched a Centre of grams. It also intends to train elementary Excellence for Artificial Intelligence (AI). The and secondary school teachers to use digital Ministry of Education, Science, Research and technology and innovative pedagogies to Sport, the Deputy Prime Minister’s Office for teach STEM subjects, including mathemat- Investments and Informatization, and NBU ics, informatics, and natural sciences. The IT all play a role in promoting cyber security Academy project is scheduled to run from education, knowledge creation, and skills 2017 to 2020 and aims to reach 24,000 stu- development. The Slovak government rec- dents from at least 300 elementary schools, ognizes that a cyber-literate workforce would about 9,000 students from at least 200 sec- help Slovakia in tackling cyber threats in the ondary schools, and 3,000 students from long run, and is trying to address its short- 5 technical universities. It plans to create age of cyber security talent by incentivizing additional informatics courses and new IT the younger population to study and work labs in 60 elementary schools, 30 secondary in the cyber security field.110 In 2017, the schools, 4 state organizations, and 8 uni- Slovak government invested 3 percent of versities. Courses already incorporated in its GDP on bettering the overall quality of school programs include troubleshooting education in the country, including cyber and computer programming, computer sys- security education for public administration tems and networks, information security, and employees.111 programming of mobile devices, etc. The EU Human Resources Operational Program The Slovak government is also providing – part of the €2.2 billion EU Operational scholarships and grants through the Official Program funding stream – is supporting the Development Assistance (ODA) program to IT Academy project. From 2015 to 2018, the national and international students for educa- Ministry of Education, Science, Research and tion at technical universities, like the STU.112 Sport has allocated more than €131 million However, the ODA program is not specifically (~$147 million) through this program. focused on cyber security education. In 2015, ESET – one of the world’s largest IT Different governmental entities and private security companies headquartered in Bratislava sector companies are individually and more – established the ESET Research Centre in directly involved in strengthening digital skills collaboration with the STU and the Comenius and literacy, supporting the development University in Bratislava. The research center of a knowledge-based society, and further aims to effectively connect the academic and increasing the number of ICT students in business sectors and increase research activ- Slovakia. For example, in 2016, the Ministry ities and capacities in cyber security.114 Other of Education, Science, Research and Sport in IT industry associations, such as the Košice partnership with the ICT industry, academia, IT Valley and the IT Association of Slovakia and other partners launched the IT Academy (ITAS), facilitate cooperation, innovation, and project.113 This project aims to increase the education in the ICT sector and support inno- numbers as well as the level of digital skills of vative start-ups and small IT companies in the

28 Eastern Slovakia region through incubators, financing, venture capital, entrepreneurship education, rubber training, mentoring, etc.115 One of the main aims of the Košice IT Valley The ESET Research Centre is to motivate youth to study and work in IT connects the academic and and robotics. Its “IT Valley 2012+” project business sectors and serves to seeks to create a communication platform increase research activities and for stakeholders in the ICT cluster in Eastern capacities in cyber security. Slovakia including government, research and development institutions, universities, and secondary schools focused on ICT education.

In July 2016, the EU launched the European In September 2017, then-Deputy Prime Min- Cyber Security Organisation (ECSO) – a con- ister for Investments and Informatization and tractual public-private partnership in cyber today’s Slovak PM Pellegrini launched the security (cPPP) that supports initiatives and Digital Coalition (Digitálna Koalícia) – in line projects focused on developing, promoting, with the priorities of the EU Digital Skills and and encouraging European cyber security.116 Jobs Coalition initiative.117 This initiative pro- The main objective of the partnership is to motes cooperation among public and private foster cooperation between public and private entities and the professional community. It actors at the early stages of the research and includes projects to foster digital literacy and innovation process in order to allow people in skills development, train ICT experts, and Europe to access innovative and trustworthy prepare Slovaks of all ages for work and life European solutions (e.g., ICT products, ser- in the digital economy and so-called Industry vices, software). The partnership also aims 4.0. Among the founding members of the to stimulate the cyber security industry by Slovak Digital Coalition are the ministries of allowing it to elicit future requirements from Education, Economy and Labor, Social Affairs end-users and sectors that are important and Family, as well as secondary and higher customers of cyber security solutions (e.g., education institutions, ITAS, the Association of energy, healthcare, transport, finance), thereby towns and municipalities (ZMOS), and major helping to align the demand and supply sec- tech companies like T-Systems, Microsoft, tors. NBU is one of founding members of Cisco, and Orange.118 In 2018, PM Pellegrini ECSO and is involved in its organizational stated that the Digital Coalition project has structure, particularly in the National Public been successful primarily due to the great Authorities Committee (NAPAC); the Work- commitment and enthusiasm displayed by ing Group 1 (WG1) focused on certification, its participants.119 The coalition has attracted standardization, labeling, and supply chain over 65 members from different sectors and management; the WG5 focused on education, established 218 measurable commitments, training, cyber range, and awareness issues; including a series of scholarships for foreign and the WG6 focused on strategic research students to study ICT in Slovakia. Members and the EU innovation agenda. of the Digital Coalition have also supported the development of the Center of Excellence for AI at STU.

29 Among its activities, the Digital Coalition The new Slovakia Digital Transformation carries out “IT fitness tests” to gauge the Strategy, expected to be released in May level of digital literacy and IT skills of stu- 2019, will also include a renewed focus on dents and teachers in primary schools, high digitizing services, promoting cyber security schools, and colleges across Slovakia.120 education, and attracting foreign investments After the relatively poor results from the in the ICT sector.126 Since the early 2000s, latest iteration of the IT fitness tests – the Slovakia has recognized that it needs to average test success rate for middle and invest in research and education in order high schools dropped from 42 percent in to realize its economic goals. Every digital 2017 to 36 percent in 2018121 – the gov- and innovation strategy published under- ernment recognized the need to increase scores these aspirations. Yet, Slovakia still investments for education in computer sci- faces a significant shortage of cyber security ence, critical thinking, and cyber security. professionals able to protect its critical ser- Deputy Prime Minister for Investments and vices and infrastructures, companies, and Informatization Richard Raši stated that digital assets. Moreover, most of its R&D focusing on cyber-literacy will be a priority initiatives and cyber security education and going forward, especially given the 2018 training programs are still heavily reliant on cyber attacks on Slovakia.122 EU funding to operate. The government must find new mechanisms to encourage the During remarks delivered at a Conference on development and retention of ICT talent and AI and Data Science at the American Chamber the creation of a vibrant startup community of Commerce in Slovakia in September 2018, underpinned by increased public and private Deputy PM Raši stressed the importance of sector investments. The government’s limited creating an attractive business environment implementation and funding to advance its in the country for companies focused on AI digital and innovation strategies, combined and directing the economy toward higher with its dependence on EU funding, may value-added enterprises.123 He emphasized not be enough to accelerate the digitiza- three specific areas of focus for the near tion of public and private activities while future: 1) forming international research part- at the same time reducing the country’s nerships, 2) transferring expertise from labs cyber insecurity. to the market, and 3) following current best practices in decision-making. In February 6 . DIPLOMACY AND TRADE 2019, his office also announced a Memoran- dum of Cooperation with the United Arab The 2015 national cyber security strategy Emirates to establish consensus for digital and the 2014 national digital strategy both ecosystems and AI, in line with the recent identified ICT and cyber security as import- push for developing smart cities.124 Deputy ant elements of Slovakia’s national security PM Raši’s office also released a call for projects and economic prosperity, and stressed the focused on digitizing city administrations, importance of promoting “active international public services to residents, transport man- collaboration.”127 However, Slovakia has not agement, and public safety.125 recognized cyber security as a Tier One priority of its foreign policy or its foreign trade and international commerce negotiations.

30 of Excellence (CCD CoE), the Digital 3 Seas Initiative, and the Network and Information The NBU is responsible Security Public-Private Platform (NIS Plat- for cooperating with the form) – established as part of the 2013 EU 129 Ministry of Foreign and Cybersecurity Strategy. European Affairs to develop Moreover, Slovakia currently holds the international cooperation in Chairmanship of OSCE, and one of the pri- the field of cyber security. orities it set is cyber security. Specifically, Slovakia is focusing on the protection of critical infrastructure by furthering the dia- logue and implementation of the 16 confidence-building measures (CBMs) that the According to the 2018 Cybersecurity Act, OSCE 57 member states adopted.130 These NBU is responsible for cooperating with the measures are aimed at reducing the risks of Ministry of Foreign and European Affairs to conflict that stem from the misuse of ICTs. develop international cooperation and mon- In March 2019, the Ministry of Foreign and itoring activities in the field of cyber security European Affairs’ representatives discussed on the foreign policy interests of the coun- possible common procedures to protect critical try.128 Both the 2015 national cyber security energy infrastructure and ways to promote strategy and 2016 Action Plan reiterated that, multilateralism in cyber diplomacy during as a member of NATO and the EU, Slovakia the Vienna Cybersecurity Week. Slovakia intends to participate in the formulation of has an important opportunity to intensify international strategic and conceptual docu- efforts to operationalize the CBMs and pro- ments, prepare and implement EU legislative mote initiatives to drive cyber resilience for and non-legislative initiatives involving cyber the region. security, and support NATO collaboration in the area of cyber defense. In line with the objectives described in the national cyber security strategy, Slovakia regularly participates in international discussions on cyber Slovakia currently holds security, cyber crime, CSIRTs cooperation, the Chairmanship of the and cyber defense (although the country Organisation for Security and has rarely initiated regional agreements in Co-operation in Europe (OSCE) these matters). In addition to its EU and and will work to implement NATO membership, Slovakia is a member of other major international bodies addressing the 16 confidence-building cyber security-related issues, including the measures to drive cyber Council of Europe, OECD, V4, ENISA, the resilience for the region. NATO Cooperative Cyber Defence Centre

31 Besides its collaboration in international that Slovakia will not impose any restrictions organizations and structures, Slovakia also on their market entry at this time.134 works to cultivate relations and engage in bilateral cooperation with specific countries Finally, Slovakia is beginning to support in the area of cyber security. For example, Europe’s broader initiatives to address the in 2018, PM Pellegrini and French Presi- exposure of citizens to large-scale disinfor- dent Emmanuel Macron agreed to deepen mation, including misleading or outright cooperation in cyber security by facilitat- false information. The Ministry of Foreign ing information sharing between Slovak and European Affairs has developed a and French experts.131 Similarly, the Slovak strategic communications unit that looks government has held talks with Azerbaijan at the spread of disinformation and fake and offered its expertise in regards to the news. This unit is the contact point for the adoption of measures aimed at securing net- election cooperation network by the EU to works and information systems.132 The same ensure safe and secure elections. However, year, in 2018, Serbia and Slovakia agreed the MFA is more focused on confronting to exchange experiences and expertise in cyber threats coming from Russia, including the development of national innovation influence and disinformation campaigns, infrastructures, and national regulations than establishing a broader focus and con- on innovation, digital transformation, and tingent of dedicated and trained person- technology transfer. Slovakia has also joined nel whose primary mission includes active the “Paris Call for Trust and Security in engagement in cyber security diplomacy Cyberspace” – a high-level declaration on or trade negotiations. developing common principles for securing cyberspace, launched by the French Indeed, the subject of cyber diplomacy government in November 2018.133 exceeds just the rules of engagement and constraining behaviors. It also concerns pro- Prime Minister Pellegrini has personally taken moting trade through the free, cross-border part in some of the global debates on cyber exchange of information, goods, services, and security issues, such as the provision of 5G capital – especially within the EU. Balancing technology from Chinese telecommunica- economic prosperity and national security tions manufacturers and its importance to requires establishing a refined diplomatic national security. PM Pellegrini took a diver- corps and increasing the country’s regional gent stance from his Polish and Czech coun- leadership to realize its vision and goals. terparts and many other NATO allies when Slovakia has an important opportunity as he declared that Slovakia does not consider it leads the OSCE on cyber issues. Chinese technology a security threat and

32 7 . DEFENSE AND CRISIS could have in the future, and called for the RESPONSE Military Intelligence to strengthen and develop capabilities in cyber security.137 It placed In the late 2000s (after the cyber incidents emphasis on the protection of communi- in Estonia and then Georgia), the use of mil- cations and information technology infra- itary grade weapons against national critical structures within the MoD and on ensuring infrastructures and the use of cyber in mil- support for the Slovak Armed Forces (AF itary operations catalyzed Slovakia’s MoD SR) in cyberspace.138 to undertake initiatives to start training and equipping its Armed Forces and to align domestic efforts to NATO’s cyber defense requirements. The Cyber Defense Center was created in 2018 as a The 2005 National Security Strategy of the special department within the Slovak Republic neither mentioned information Military Intelligence, tasked security nor cyber security. However, starting with the 2013 White Paper on Defense of with the cyber defense of the Slovak Republic, the country recognized national critical assets. the need to take necessary steps to prevent threats that could cause significant or irre- coverable damage to Slovakia and that could undermine the credibility of the state.135 Also In response to this call and the 2015 reorga- in 2013, the Slovak Military Defense Intelli- nization of the government entities respon- gence (VOS) and Military Intelligence Service sible for cyber security, the Cyber Defense (VSS) were merged into one service called Center was created in 2018 (based on the Military Intelligence (VS) within the MoD. Cybersecurity Act) as a special department The Military Intelligence is responsible for within the Military Intelligence, tasked with “acquiring, collecting, and analyzing infor- the cyber defense of national critical assets. mation significant for securing defense and The center collects, aggregates, analyzes, and defense capabilities of the Slovak Republic,” evaluates information critical for cyber defense, including activities and threats in cyberspace. informs affected parties about existing and Its primary mission in this domain is to “pro- potential threats, and suggests appropriate tect the defense and critical infrastructure measures.139 In addition, the center hosts and information systems essential to secure the military computer security and incident the state functioning.”136 response team (CSIRT.MIL.SK). CSIRT.MIL.SK oversees monitored infrastructures, provides The 2016 White Paper on Defense acknowl- early detection of systems vulnerabilities and edged that cyberspace was now the fifth malicious activities on the network, responds domain of warfare, in line with the declara- to serious cyber security incidents of national tion made by NATO member states at the importance (like the 2018 attack on the Min- 2016 Warsaw Summit. It also recognized the istry of Foreign Affairs), and offers education influence that asymmetric security threats, and awareness programs for its constituency. including cyber attacks and hybrid warfare, In February 2018, CSIRT.MIL.SK was accred-

33 Figure 3: Organizational structure of the Slovak Military Intelligence, http://csirt.mil.sk/75689. ited by the Trusted Introducer certification The Military Intelligence will then perform its authority, and became a full member of the incident response tasks through the Cyber international Task Force of Computer Secu- Defense Center and CSIRT.MIL.SK. rity Incident Response Teams (TF-CSIRT).140

The 2018 Cybersecurity Act codified the role The Cyber Defense Center has and responsibilities of the Cyber Defense Center (Article 35). It also gave it the authority direct and full real-time electronic to “require compliance from the owners and access to the Cybersecurity operators of facilities of special importance Single Information System to and critical infrastructure elements, as well ensure the cyber defense of as information to the extent necessary to the country when needed. ensure the cyber defense of the country.”141 In order to fulfill the tasks assigned to it, the center has direct and full real-time electronic access to the Cybersecurity Single Informa- The 2016 White Paper also recognized the tion System. In the event of a serious cyber importance of improving the training of the security incident that “exceeds the specified Slovak Armed Forces. The Armed Forces Acad- degree of severity” or that involves a case of emy of Milan Rastislav Štefánik, for example, “cybernetic terrorism,” NBU must inform the is investing in the long-term development Military Intelligence and provide all necessary of university-level education and vocational information “to ensure cyber defense.”142 training and exercises in line with the AF

34 SR requirements, including the training of and technical security processes within par- professional soldiers in the area of cyber ticipating organizations, including their ability security. The Paper also called for training of to mitigate incidents and identification of commanders focused on the ability to plan employees’ security awareness levels (e.g., high-intensity joint operations to defend the against phishing attacks and online scams). homeland and/or provide collective defense The Ministry of the Interior, the Prime Minis- to NATO allies in a complex operational envi- ter’s Office, the Telecommunications Office, ronment, including hybrid, cybernetic, and and the Ministry of Finance were all actively terrorist threats. involved in the 2013 exercise.

Slovakia regularly participates in cyber train- In 2017, the Slovak government published ing and exercises with international partners, a new draft national security strategy, which including the CCD CoE-led Locked Shields recognizes the ubiquity of cyber attacks and exercise – won by Slovakia in 2016 – and the argues that the consequences of such attacks NATO-led Cyber Coalition exercise, in order can reach the level of a conventional armed to test its abilities and reactions to cyber attack. The document also reiterates NATO’s attacks and demonstrate cooperation through definition of cyberspace as a new domain information exchange and assistance.143 The of operations and stresses that collective country also contributes to the EU Cyber defense in this sphere is critical.145 The draft Europe and CyberSOPEX exercises, both strategy states that its “aim is to develop organized by ENISA, and participated in the cyber defense and create a protected cyber- 2018 SecOps Europe exercise in Budapest. space for Slovakia.” It also affirms that “the In 2018, the Slovak team that participated in Slovak Republic will create an institutional these exercises consisted of representatives and legal framework aimed at enhancing the from the NBU, the national SK-CERT, the security and resilience of cyberspace. The MoD (only in the Locked Shields exercise), result will be a comprehensive system of cyber and the government CSIRT.SK unit. security, including international cooperation, cooperation with the private sector and the Moreover, the government has held at least academic community.”146 three national-level exercises in 2011, 2012, and 2013 to demonstrate (technical) national While there is a clear emphasis on scaling cyber defense readiness. The Slovak Infor- cyber defense systems in Slovakia, exact mation Security Exercises (SISE) were aimed allocations of funding are unclear. In 2017, at CII protection. The primary goal of SISE the Military Intelligence department spent 2012, for example, was to test the techni- €54 million (~$60.6 million) for all its activ- cal response of participating institutions to ities.147 MoD’s overall expenditures in 2018 large-scale ICT incidents, including data exfil- amounted to €1 billion (~$1.1 billion), but trations, DDoS attacks, and ripple effects the specific funding for military intelligence on the provision of public services.144 The activities and the Cyber Defense Center is 2013 exercise tested the security incident not publicly available.148

35 CRI 2 .0 BOTTOM LINE approach that aligns its national economic visions with its national security priorities, According to the CRI 2.0 assessment, Slovakia updates to this country profile will reflect is still in the early stages of developing a path those changes and monitor, track, and eval- toward cyber resilience and cyber readiness, uate substantive and notable improvements. and is currently partially operational only in one of the seven CRI essential elements. The CRI 2.0 offers a comprehensive, comparative, experience-based methodology to The findings in this analysis represent a snap- help national leaders chart a path toward a shot in time of a dynamic and changing land- safer, more resilient digital future in a deeply scape. As Slovakia continues to develop and cybered, competitive, and conflict prone world. update its economic (digital agenda) and For more information regarding the CRI 2.0, national cyber security strategies, policies, please see: http://www.potomacinstitute. and initiatives to reflect a more balanced org/academic-centers/cyber-readiness-index.

Legend

Fully Operational

Partially Operational

Insufficient Evidence

National StrategyIncident ResponseE-Crime & Law EnforcementInformation SharingInvestment in R&DDiplomacy & TradeDefense & Crisis Response IDI Rank NRI Rank GDP Rank

36 ENDNOTES 10. Karol Fabian, “Distribuovane mikropocitacove systemy a poci- 1. Česká pošta, “Czechoslo- atky slovenskeho Internetu v vak and Czech Post’s history,” UTK SAV a UAKOM SAV.” https://www.ceskaposta.cz/ en/o-ceske-poste/historie. 11. “History of the Internet in Slovakia.”

2. Česky Telecom, “History,” http:// 12. “Slovakia’s Dzurinda Gets a Second www.fundinguniverse.com/compa- Chance as Prime Minister,” EURAC- ny-histories/cesky-telecom-a-s-history/. TIV, 7 October 2002, https://www. euractiv.com/section/elections/opin- 3. Stefan Kohut, “15 years of SANET ion/slovakia-s-dzurinda-gets-a-second- Association,” http://www.sanet. chance-as-prime-minister/838279/. sk/buletin_sanet_en.pdf. 13. SANET, “About the SANET.2 project, 4. The group of researchers at the Insti- http://www.sanet.sk/en/oprojekte. tute of Applied Cybernetics (UAK) shtm; Government of the Slovak in Bratislava who developed the first Republic, “Resolution n° 383/2001.” intra-network used SMEP computers (systém malých elektronických or 14. World Bank, “Individuals using the small electronic computer systems). Internet (% of population),” 2000, 2010, and 2017, https://data.world- 5. Jaroslav Bobovsky, “History of the bank.org/indicator/IT.NET.USER.ZS. Internet in Slovakia,” http://kit2015. aos.sk/proceedings/pdf/beset.pdf. 15. European Commission, “Europe’s Digital Progress Report: Slova- 6. Most historians refer to this period as kia,” (2017): 3, https://ec.europa. the Velvet Revolution, maintaining the eu/digital-single-market/en/score- Czech’s nomenclature for this event. board/slovakia, and World Bank, “Fixed broadband subscriptions 7. “History of the Internet,” 1. (per 100 people),” 2017, https:// data.worldbank.org/indicator/IT.NET. 8. Karol Fabian, “SANET Net- BBND.P2?end=2017&start=1998. work: Evolution and Services,” https://www.researchgate.net/ 16. Eurostat, “Percentage of the publication/303665227_SANET_ ICT Sector on GDP,” https:// Network_Evolution_and_Ser- ec.europa.eu/eurostat/tgm/ vices_Proc_INET’93_San_Fran- table.do?tab=table&init=1&lan- cisco_CA_USA_1993. guage=en&p- code=tin00074&plugin=1. 9. “History of the Internet in Slovakia,” 5-6.

37 17. Lea Hriciková and Kadri Kaska, 22. Melissa Hathaway, “Toward a Closer “National Cyber Security Organi- Digital Alliance,” SAIS Review of zations: Slovakia,” NATO Coop- International Affairs, Johns Hop- erative Cyber Defence Cen- kins University Press, Volume 36, tre of Excellence, (2015): 5. n. 2, (Summer-Fall 2016): 57-67.

18. Slovak Republic, Ministry of 23. “The National Concept of Finance, “Information Society eGovernment,” 53. Strategy for 2009–2013,” (2009): 6-16 http://www.informatizacia.sk/ 24. NATO, “Cyber Defense,” ext_dok-information-society-star- https://www.nato.int/cps/en/ tegy-for-2009_2013/6497. natohq/topics_78170.htm.

19. European Migration Network, 25. European Commission, “EU Cyber “Ad-Hoc Query on Identity Docu- Security strategy: An open, safe ments issued to EU Member States and secure Cyberspace,” Febru- citizens,” November 2009, https:// ary 2013, https://ec.europa.eu/ ec.europa.eu/home-affairs/sites/ home-affairs/what-is-new/news/ homeaffairs/files/what-we-do/net- news/2013/20130207_01_en. works/european_migration_network/ reports/docs/ad-hoc-queries/resi- 26. National Security Authority, “Cyber dence/161._emn_ad-hoc_query_iden- Security Concept of the Slovak tity_documents_issued_to_eu_ms_cit- Republic for 2015-2020,” (2015): 9, izens_2oct2009_wider_dissemination_ 11, https://www.enisa.europa.eu/ en.pdf, and European Commission, topics/national-cyber-security-strat- “Operational Programme ‘Infor- egies/ncss-map/cyber-security-con- mation Society’,” (2007), https:// cept-of-the-slovak-republic-1. ec.europa.eu/regional_policy/en/ atlas/programmes/2007-2013/ 27. National Security Authority, “Statute slovakia/operational-pro- of the National Security Authority. gramme-information-society. Resolution No. 92/2016,” 2 March 2016, https://www.nbu.gov.sk/ 20. Deputy Prime Minister’s Office urad/pravne-predpisy/statut/index. website, 11 March 2019, https:// html; Jaroslaw Adamowski, “Slovak www.vicepremier.gov.sk/aktuality/ Finance Ministry drafts country’s informatizacia/rasi-mame-priprav- first cyber-security law,” SC Mag- enu-strategiu-digitalnej-transfor- azine, 18 October 2016, https:// macie-slovenska/index.html. www.scmagazineuk.com/slovak-finance-ministry-drafts-countrys-first-cy- 21. European Commission, “Europe’s ber-security-law/article/1476115. Digital Progress Report: Slovakia,” 1.

38 28. National Council of the Slovak 35. In 2000, the European Commission Republic, “Act on Cybersecurity and launched its first “eEurope – An on Amendments and Supplements to Information Society for All” strat- certain Acts,” January 2018, http:// egy, which proposed the ambitious www.nbu.gov.sk/wp-content/uploads/ goals of turning the EU into the most legislativa/EN/Act_Cybersecurity.pdf. competitive and dynamic knowledge-based economy by 2010, and 29. Tom Watts, “Which EU Coun- “bringing every citizen, home and try is most vulnerable to cyber- school, every business and admin- crime,” November 2018, https:// istration, into the digital age and www.websitebuilderexpert.com/ online” while guaranteeing that “the blog/eu-cybercrime-risk/. whole process is socially inclusive, builds consumer trust and strength- 30. “Cyber-attack hits Slovak Minis- ens social cohesion.” For more, see: try of Foreign Affairs,” 18 October “eEurope – An Information Society 2018, Remix, https://rmx.news/ for All,” EUR-Lex, (2000), https:// slovakia/cyber-attack-hits-slo- eur-lex.europa.eu/legal-content/EN/ vak-ministry-foreign-affairs. TXT/?uri=LEGISSUM%3Al24221.

31. Ibid, 9, 72. 36. “National Cyber Security Orga- nizations: Slovakia,” 5. 32. Jurika Novak et al., “The rise of Digi- tal Challengers: Perspective on Slo- 37. Slovak Republic, Ministry of Finance, vakia,” McKinsey, (November 2018): “Information Society Strategy 4, https://digitalchallengers.mckinsey. for 2009–2013,” (2009): 6-16. com/files/The-rise-of-Digital-Chal- lengers_Perspective-on-SK.pdf. 38. Government Resolution No. 139/2013 (20 March 2013), Act 33. Peter Adamovsky, “Pellegrini: Slo- No. 575/2001 Coll. on the orga- vakia can become a testing space nization of the government activi- for bold ideas,” The Slovak Spec- ties and the organization of central tator, 21 December 2017, https:// government administration, and spectator.sme.sk/c/20721988/ European Commission position digital-transformation-offers-the- paper, http://www.nsrr.sk/sk/pro- chance-to-be-a-leader.html. gramove-obdobie-2014---2020/ pozicny-dokument-europskej- komis- 34. European Parliament, “The Lisbon ie-k-partnerskej-dohode-a-pro- Strategy 2000-2010,” http://www. gramom-sr-na-roky-2014---2020/. europarl.europa.eu/document/ activities/cont/201107/20110718AT- T24270/20110718ATT24270EN.pdf.

39 39. The two documents were 49. Slovak Republic, Ministry of Finance, approved by Government Reso- “National Strategy for Informa- lution No. 522/2001 and by Gov- tion Security 2009-2013,” (2008): ernment Resolution No. 43/2004 6, https://www.enisa.europa. on 21 January 2004, 4-6. eu/topics/national-cyber-security-strategies/ncss-map/Slovakia_ 40. Slovak Republic, Ministry of Finance, National_Strategy_for_ISEC.pdf. “Information Society Strategy for 2009–2013,” (2009): 6-16. 50. National Security Authority, “Authority.” 41. Slovak Republic, Ministry of Finance, “The National Concept of eGov- 51. “National Strategy for Information ernment,” (February 2008). Security,” 8; and Slovak Republic, Ministry of Defense, “The White 42. Slovak Republic, Ministry of Finance, Paper on Defence of the Slovak “The National Strategy of the Slo- Republic,” (2013): 49, 127, http:// vak Republic for Digital Integra- www.mosr.sk/data/WP2013.pdf. tion,” (November 2008): 3-4. 52. “National Strategy for Infor- 43. Office of the Government of the mation Security,” 6, 11-12. Slovak Republic, “Operational Pro- gramme Informatisation of Society,” 53. “Statute of the National Secu- Version4.0, (2012), http://www.opis. rity Authority,” (2016). gov.sk/data/files/2448_8949.pdf. 54. The Cybersecurity Committee is 44. Slovak Republic, Ministry of Finance, a permanent working body of the “Strategic Document for Digi- Security Council that advises and tal Growth and Next Generation recommends policy measures for pro- Access Infrastructure (2014-2020),” tection in cyberspace, and the head http://www.informatizacia.sk/index/ of NBU is also on the committee. open_file.php?ext_dok=16622. 55. National Security Authority, “Cyber 45. Ibid, 3. Security Concept of the Slovak Republic for 2015-2020,” 8. 46. Ibid, 9, 72. 56. Ibid, 9. 47. Ibid, 74, 111-112. 57. National Security Authority, “Cyber 48. Deputy Prime Minister’s Office Security Concept of the Slovak website, 11 March 2019, https:// Republic for 2015-2020,” and www.vicepremier.gov.sk/aktuality/ “Action Plan of Implementation of informatizacia/rasi-mame-priprav- Cyber Security Concept of the Slo- enu-strategiu-digitalnej-transfor- vak Republic for years 2015-2020.” macie-slovenska/index.html.

40 58. “Action Plan of Implementation of 69. “Which EU Country is most vul- Cyber Security Concept of the Slovak nerable to cybercrime.” Republic for years 2015-2020,” 3, 17. 70. SK-CERT, “Detected Events,” 59. “Cyber Security Concept of the https://www.sk-cert.sk/en/statis- Slovak Republic for 2015-2020,” 17. tics/detected-events/index.html.

60. “Action Plan of Implementation of 71. SK-CERT, “RFC2350 – CSIRT Cyber Security Concept of the Slovak Description for SK-CERT, National Republic for years 2015-2020,” 4, 34. CSIRT of the Slovak Republic,” Jan- uary 2016, https://www.sk-cert.sk/ 61. National Security Authority, en/about-us/rfc2350/index.html. http://www.nbu.gov.sk/en/ authority/index.html. 72. SK-CERT, “About Us,” https://www. sk-cert.sk/en/about-us/index.html. 62. Ibid, 17. 73. Ibid. 63. “Cyber Security Concept of the Slovak Republic for 2015-2020,” 5. 74. Ibid.

64. “Cybersecurity Act 2018,” 75. NIS fully transposed in Slovakia Articles 4 and 5. - https://ec.europa.eu/digital-single-market/en/implementation-nis-di- 65. National Security Authority, “Author- rective-slovakia, and Service pro- ity,” http://www.nbu.gov.sk/en/ viders under the Cybersecurity authority/index.html, and “Cyber- Act 2018, https://www.slov-lex. security Act 2018,” Article 5. sk/pravne-predpisy/prilohy/SK/ ZZ/2018/164/20180615_4883164-2. 66. Role and scope of the Cybersecu- pdf. rity Committee within the Security Council of the Slovak Republic, 76. “Cybersecurity Act 2018,” https://www.vlada.gov.sk/data/ Articles 24 and 25. files/6351_rp-vyborkb.pdf. 77. Cybersecurity Single Information 67. “Cybersecurity Act 2018,” Article 5. System, http://www.nbu.gov.sk/en/ cyber-security/cybersecurity-single-in- 68. Cybersecurity Single Information formation-system/index.html, and System, http://www.nbu.gov.sk/en/ “Cybersecurity Act 2018,” Article 8. cyber-security/cybersecurity-single-information-system/index.html, and 78. Ibid, Article 11 & 15. “Cybersecurity Act 2018,” Article 8.

41 79. Office of the Deputy Prime Minis- 85. “Which EU Country Is Most Vul- ter for Investments and Informa- nerable to Cybercrime?” 2018. tization, “Kybernetické hrozby sú reálne, Slovensko budú chrániť 4 86. “Evaluation report on the sev- jednotky CSIRT,” 21 September enth round of mutual evaluations 2018, https://www.vicepremier.gov. ‘The practical implementation and sk/aktuality/informatizacia/kyber- operation of European policies on neticke-hrozby-su-realne-slovens- prevention and combating Cyber- ko-budu-chranit-4-jednotky-csirt/. crime’ - Report on Slovakia,” 11.

80. Interview with Deputy Prime Minister’s 87. Ibid, 5 and 19. Office representative, 12 March 2019. 88. Ministry of Interior, “Data Sub- 81. Office of Personal Data Pro- jects’ Rights,” https://www.minv. tection, https://dataprotection. sk/?Data-Subjects-Rights. gov.sk/uoou/en/content/procedure-personal-data-protection. 89. Rebecca James, “Mandatory Data Retention in Slovakia,” 82. CSIRT.SK, “National level cyber Privacy Sniffs, 24 September exercises,” https://www.csirt. 2018, https://privacysniffs.com/ gov.sk/news-7f7.html?id=66. data-retention-law/slovakia/.

83. SK-CERT, “About us,” https:// 90. European Commission, “ILLEGAL www.sk-cert.sk/en/about-us/index. USE OF INTERNET TARGETED CALL html; NBU, “The Slovak Repub- FOR PROPOSALS,” 2013, https:// lic Again This Year Participated in ec.europa.eu/home-affairs/sites/home- the International Exercise of NATO affairs/files/financing/fundings/pdf/ Cyber Defence – Cyber Coalition isec/isec-grants-awarded-2013_en.pdf. 2018,” December 2018, http:// www.nbu.gov.sk/news/the-slo- 91. “Action Plan of Implementation vak-republic-again-this-year-par- of Cyber Security Concept of the ticipated-in-the-international-ex- Slovak Republic for years 2015- ercise-of-nato-cyber-defence-cy- 2020,” June 2016, http://www. ber-coalition-2018/index.html. nbu.gov.sk/wp-content/uploads/ cyber-security/Action-Plan-for-the- 84. Council of Europe, “Evaluation report Implementation-of-the-Cyber-Se- on the seventh round of mutual curity-Concept-of-the-Slovak-Re- evaluations ‘The practical implemen- public-for-2015-2020-_3_.pdf. tation and operation of European policies on prevention and combating 92. E-Slovensko, https://diaspora-en- Cybercrime’ - Report on Slovakia,” gagement.eu/org/eslovensko/. 22 September 2015, http://data. consilium.europa.eu/doc/document/ ST-9761-2015-REV-1-DCL-1/en/pdf.

42 93. University College Dublin Centre 103. OECD, “Highlights from the OECD for Cybersecurity & Cybercrime Science, Technology and Indus- Investigation, “Cyber Crime Train- try Scoreboard 2017 - The Digital ing (Slovakia),” 2014, https://www. Transformation: Slovak Repub- ucd.ie/cci/projects/current_projects/ lic,” (November 2017): 1, http:// cyber_crime_training_slovakia.html. www.oecd.org/slovakia/sti-scoreboard-2017-slovak-republic.pdf. 94. “Cyber Security Concept of the Slovak Republic for 2015-2020,” 17. 104. Research Agency of the Minis- try of Education, http://www.vys- 95. “Cybersecurity Act 2018,” Article 8. kumnaagentura.sk/en/opvai.

96. Ibid. 105. “How does Slovakia support innovations?”. 97. NIS fully transposed in Slovakia - https://ec.europa.eu/digital-sin- 106. European Commission, Scientific gle-market/en/implementation-nis-di- Grant Agency VEGA, https://rio. rective-slovakia, and Service pro- jrc.ec.europa.eu/en/organisations/ viders under the Cybersecurity scientific-grant-agency-vega. Act 2018, https://www.slov-lex. sk/pravne-predpisy/prilohy/SK/ 107. Slovak Statistical Office 2017, and ZZ/2018/164/20180615_4883164-2. Vladislava Gubalova, “Tackling Unem- pdf. ployment by Upgrading People’s Skills: New Skills for New Jobs and 98. “Cyber Security Concept of the the EU Support,” GLOBSEC Policy Slovak Republic for 2015-2020,” 10. Institute, 1 December 2017, https:// www.globsec.org/tackling-unem- 99. Ibid, 29. ployment-upgrading-peoples-skills- new-skills-new-jobs-eu-support/. 100. “Action Plan of Implementation of Cyber Security Concept of the Slo- 108. European Commission, “Europe’s vak Republic for years 2015-2020,” Digital Progress Report: Slovakia,” 8. (June 2016), areas 7.1 and 7.2. 109. Slovak Industry Initiative, https:// 101. Peter Adamovsky, “How does ec.europa.eu/growth/tools-data- Slovakia support innovations?” bases/dem/monitor/sites/default/ The Slovak Spectator, 15 Novem- files/DTM_Slovakia_FINAL.pdf. ber 2018, https://spectator.sme. sk/c/20961939/how-does-slova- 110. GLOBSEC round-table, https://www. kia-support-innovations.html. globsec.org/news/investing-in-human-resources-emerges-as-top-pri- 102. OECD, https://data.oecd.org/rd/ ority-at-globsec-chateau-bela-round- gross-domestic-spending-on-r-d.htm. table-on-cybersecurity-in-slovakia/.

43 111. Ministry of Finance, spending reviews 119. News report from TASR https:// https://www.finance.gov.sk/en/finance/ newsnow.tasr.sk/economy/it-digi- value-money/spending-reviews/. tal-coalition-swells-by-16-new-members-to-37/. 112. Slovak Technical University, https:// www.stuba.sk/buxus/gener- 120. Digital Coalition, “IT Fitness test ate_page.php?page_id=10887. 2018: prekročili sme hranicu 30 000 otestovaných!,” https://digitalna- 113. IT Academy - Education for the 21st koalicia.sk/fitness-test-pred-ukon- Century, September 2016, http:// cenim-certifikacnej-cas- itakademia.sk/zakladne-informacie/. ti-testu-29-500-otestovanych/.

114. ESET Research Center, https://www. 121. Digital Coalition website https://itas. stuba.sk/english/science-and-research/ sk/vysledky-it-fitness-testu-2018-zi- other-research-centres-and-lab- aci-maju-problemy-s-ky- oratories/eset-research-cen- bernetickou-bezpecnostou/. tre.html?page_id=11886. 122. Ibid. 115. Košice IT Valley, http://www.kosiceitvalley.sk/en/about-kosice-it-valley/ and 123. Remarks by Deputy Prime Minister http://www.kosiceitvalley.sk/inovacie/. for Investment and Informatization Richard Rasi, American Chamber 116. European Cyber Security Organisa- of Commerce, Slovakia, 15 May tion, https://ecs-org.eu/activities. 2018, http://www.amcham.sk/download.pl?hash=A9wvUoiwiXim5d- 117. European Commission, “Digital sUj4QLNy9Digrr1lvl&ID=4983. Coalition launched in Slovakia,” November 2017, https://ec.europa. 124. Touch IT article dated 10 February eu/digital-single-market/en/news/ 2019 https://touchit.sk/vicepremier-ra- digital-coalition-launched-slovakia. si-podpisal-memorandum-o-spo- lupraci-v-oblasti-umelej-inteligen- 118. IT Association of Slovakia, “Dig- cie-a-smart-cities-so-spojenymi-ar- itálna koalícia na výročnom zasad- abskymi-emiratmi/217962. nutí ocenila najaktívnejších členov za rok 2018,” 14 February 2018, 125. Deputy Prime Minister’s Office for https://itas.sk/digitalna-koalicia-na-vy- Investment and Informatization, rocnom-zasadnuti-ocenila-najak- 28 August 2017, https://www.vice- tivnejsich-clenov-za-rok-2018/. premier.gov.sk/aktuality/regional- ny-rozvoj/smart-cities-chcete-hod- notit-projekty-za-milion/index.html.

44 126. Deputy Prime Minister’s Office 133. French Government, “Paris Call for for Investment and Informati- Trust and Security in Cyberspace,” zation, 11 March 2019, https:// 12 November 2018, https://www. www.vicepremier.gov.sk/aktuality/ diplomatie.gouv.fr/IMG/pdf/paris_ informatizacia/rasi-mame-priprav- call_text_-_en_cle06f918.pdf?wpis- enu-strategiu-digitalnej-transfor- rc=nl_cybersecurity202&wpmm=1. macie-slovenska/index.html. 134. Tatiana Jancarikova, “Slovakia has no 127. “Cyber Security Concept of the evidence of Huawei security threat Slovak Republic for 2015-2020,” - prime minister,” Reuters, 30 Janu- 10 and 18; and “Strategic Docu- ary 2019, https://www.reuters.com/ ment for Digital Growth and Next article/us-usa-china-huawei-slovakia/ Generation Access Infrastruc- slovakia-has-no-evidence-of-hua- ture (2014-2020),” 86 and 112. wei-security-threat-prime-minister-idUSKCN1PO1TO. 128. “Cybersecurity Act 2018,” Article 5(h). 135. “National Strategy for Information 129. ENISA, “NIS Platform,” https://resil- Security,” 8; and Slovak Republic, ience.enisa.europa.eu/nis-platform. Ministry of Defense, “The White Paper on Defense of the Slovak 130. OSCE, “Programme of the Slo- Republic,” (2013): 49, 127, http:// vak OSCE Chairmanship 2019,” www.mosr.sk/data/WP2013.pdf. https://www.osce.org/chairmanship/408353?download=true. 136. Military Intelligence, “About us,” http://vs.mosr.sk/o-nas/#poslanie. 131. “Slovakia and France to Deepen Cooperation in Field of Cyber 137. Slovak Republic, Ministry of Defense, Threats,” News Now, 16 October “White Paper on the Defense of the 2018, https://newsnow.tasr.sk/foreign/ Slovak Republic,” (2016), https://www. slovakia-and-france-to-deepen-co- mosr.sk/data/WPDSR2016_LQ.pdf. operation-in-field-of-cyber-threats/. 138. Ibid. 132. NBU, “The National Security Author- ity shared its experience with Azer- 139. Cyber Defense Center of the Slo- baijan on cybersecurity,” Novem- vak Republic, “About Us,” http:// ber 2018, http://www.nbu.gov.sk/ csirt.mil.sk/75689/?mne=3146. news/the-national-security-authority-shared-its-experience-with-azer- 140. Cyber Defense Center of the Slovak baijan-on-cybersecurity/index.html. Republic, “CSIRT.MIL.SK,” http:// csirt.mil.sk/75688/?mne=3149.

45 141. “Cybersecurity Act 2018,” Article 35.

142. Military Intelligence, http://vs.mosr. sk/nova-legislativa-pre-oblast-ky- bernetickej-obrany/eng.

143. “Cyber Security Concept of the Slovak Republic for 2015-2020,” 9.

144. National exercise on critical information infrastructure protection SISE 2012, November 2012, https://www. csirt.gov.sk/aktualne-7d7.html?id=53.

145. “Draft Security Strategy of the Slo- vak Republic,” (2017), https://www. slov-lex.sk/legislativne-procesy/-/ SK/dokumenty/LP-2017-627.

146. Ibid.

147. Military Intelligence’s budget for 2017, http://vs.mosr.sk/ sprava-o-cinnosti-vs-2017/.

148. Ministry of Defense’s budget for 2018, https://www.mod. gov.sk/data/files/3574.pdf.

46 ABOUT THE AUTHORS

Melissa Hathaway is a leading expert in cyberspace policy and cyber security. She served in two US presidential administrations, spearheading the Cyberspace Policy Review for President Barack Obama and leading the Comprehensive National Cybersecurity Initiative (CNCI) for President George W. Bush. Today, she is a Senior Fellow and a member of the Board of Regents at Potomac Institute for Policy Studies. She is also a Senior Advisor at Harvard Kennedy School’s Belfer Center for Science and International Affairs, a Distinguished Fellow at the Centre for International Governance Innovation in Canada, a non-resident Research Fellow at the Kosciuszko Institute in Poland, and she is President of Hathaway Global Strategies LLC, her own consultancy. Melissa developed a unique methodology for evaluating and measuring national levels of preparedness for certain cyber security risks, known as the Cyber Readiness Index (CRI). The CRI methodology is available in Arabic, Chinese, English, French, Russian, and Spanish, and is being applied to 125 countries. The CRI country profiles of France, Germany, India, Italy, Japan, the Netherlands, Saudi Arabia, the United Kingdom, and the United States can be found at the following link: http://www.potomacinstitute.org/academic-centers/cyber-readiness-index. Having served on the board of directors for two public companies and three non-profit organizations, and as a strategic advisor to a number of public and private companies, Melissa brings a unique combination of policy and technical expertise, as well as board room experience to help others better understand the intersection of government policy, developing technological and industry trends, and economic drivers that impact acquisition and business development strategy in this field. She publishes regularly on cyber security matters affecting companies and countries. Most of her articles can be found at the following website: http://belfercenter.ksg.harvard.edu/experts/2132/melissa_hathaway.html.

Francesca Spidalieri is the co-principal investigator on the Cyber Readiness Index Project at the Potomac Institute for Policy Studies. She is also an Associate for Hathaway Global Strategies LLC, and serves as the Senior Fellow for Cyber Leadership at the Pell Center, at Salve Regina University, as a cyber security subject-matter expert for the UN International Telecommunications Union (ITU), as a Distinguished Fellow at the Ponemon Institute, and as a non-resident Research Fellow at the Kosciuszko Institute in Poland. Her academic research and publications focus on cyber leadership development, cyber risk management, comparative organization analysis, and cyber security workforce development. In 2015, she published a report, entitled State of the States on Cybersecurity, that applied the Cyber Readiness Index 1.0 at the US state level. All her additional studies and academic articles can be found at the following link: http://pellcenter.org/cyber-leadership/.

Anushka Kaushik is a research fellow at GLOBSEC, a think-tank based in Bratislava, Slo- vakia, where she drives the organisation’s research efforts in cybersecurity policy. She has published papers on attribution of cyber attacks and policy implications of end-to-end encryption. She has previously worked on data protection policies and internet governance at the International Chamber of Commerce and was a Research Associate at the Centre des Recherches Internationales (CERI). While at the Indian Ministry of Electronics and Information Technologies, her research activities were centered on national e-governance advocacy plans. For more information or to provide data to the CRI 2.0 methodology, please contact: [email protected]

The CRI 2.0 methodology is available in Arabic, Chinese, English, French, Russian, and Spanish, and is currently being applied to 125 countries.

The CRI country profiles of France, Germany, India, Italy, Japan, the Netherlands, Saudi Arabia, the United Kingdom, and the United States can be found at the following link: http://www.potomacinstitute.org/academic-centers/cyber-readiness-index. POTOMAC INSTITUTE FOR POLICY STUDIES 901 N . Stuart St . Suite 1200, Arlington, VA 22203 www.potomacinstitute.org