CSS CYBER DEFENSE PROJECT NATIONAL CYBERSECURITY AND CYBERDEFENSE POLICY SNAPSHOTS Updated Collection 2 Edited by Sean Cordey and Robert S. Dewar Zürich, September 2019 Cyber Defense Project (CDP) Center for Security Studies (CSS), ETH Zürich National Cyberdefense Policy Snapshots Editors: Sean Cordey and Robert S. Dewar © 2019 Center for Security Studies (CSS), ETH Zürich Contact: Center for Security Studies Haldeneggsteig 4 ETH Zürich CH-8092 Zürich Switzerland Tel.: +41-44-632 40 25 [email protected] www.css.ethz.ch Analysis prepared by: Center for Security Studies (CSS), ETH Zürich ETH-CSS project management: Tim Prior, Head of the Risk and Resilience Research Group; Myriam Dunn Cavelty, Deputy Head for Research and Teaching; Andreas Wenger, Director of the CSS. Disclaimer: The opinions presented in this study exclusively reflect the authors’ views. Please cite as: Sean Cordey and Robert S. Dewar, ed. (2019): National Cybersecurity and Cyberdefense Policy Snapshots: Updated Collection 2, 2019, Center for Security Studies (CSS), ETH Zürich. 2 National Cyberdefense Policy Snapshots Contents Introduction 4 Austria 7 Finland 33 France 53 Germany 69 Italy 89 The Netherlands 109 Singapore 129 The United Kingdom 147 Summary of Findings and Conclusion 164 Contributors 170 3 National Cyberdefense Policy Snapshots – Introduction Introduction Robert S. Dewar Center for Security Studies, ETH Zürich1 1. National Policy Frameworks for Cybersecurity and Cyberdefense The goal of this publication is to understand current cybersecurity policies as a facet of a country’s national security policy, and particularly how cyberdefense is embedded in a state’s cybersecurity posture. In the past decade cyber- conflict has been increasingly discussed at the highest political and military levels. It has also broadened as a concept to include not just cyberattacks on critical infrastructure, but acts of hybrid warfare and state-sponsored campaigns to affect or change public opinion. Cyberspace is therefore increasingly being viewed as both a strategic domain and as a tool to be used in a strategic manner. Cyber-conflict itself has moved towards what Liddell Hart (1965) described as “grand strategy”: all the resources of a nation state – economic, military, diplomatic, social and informational – are being deployed in both peacetime and wartime to ensure that the state and its citizens remain secure in an increasingly digital and connected world. Due to the ever-increasing availability and variety of sophisticated malicious digital tools and the ease with which these tools can be deployed, cybersecurity is now a crucial element of national security. Within this larger context, the concept of cyberdefense, with its implicit military connotation, has also gained significantly more prominence. Defining “cybersecurity” and “cyberdefense” is problematic and presents an ongoing challenge (Kruger, 2012). National policies of the kind analyzed in the snapshots contained in this collection define these concepts very differently. However, in order to conduct an effective examination and analysis of national policy a set of baseline definitions is needed. As working definition, we understand cyberdefense to fall under the purview of a country's national security policy, and therefore is a part of its defense department or ministry, while nevertheless retaining a close a link to the overall policy efforts to improve a country's cybersecurity. As such cyberdefense intersects with cybersecurity. Cybersecurity policies tend to be more holistic and are released into the public domain, with references to ensuring civilian that infrastructures such as banking and personal computer networks are secure and resilient to cyber- intrusions, and setting out measures designed to tackle online criminal activity (cybercrime). Cyberdefense by contrast is more of a closed box. This is due to its close relationship to secret, classified aspects of government policy and activity.2 As such, cyberdefense deserves special attention in studies of national policy such as this collection of analyses and is treated separately in the policy snapshots contained in this collection. Since there is an overall impression that the risks to national security from cyberspace have changed both in terms of quantity (more incidents are occurring) and quality (these incidents are becoming more sophisticated), many states have re-evaluated their previous cybersecurity efforts. In the ten years to 2019 a large number of national policies and strategies have been published specifically addressing cybersecurity and cyberdefense. Although these policies and strategies address similar issues, there is significant variation in approaches given national priorities and conceptualizations of the issues at hand. 2. Purpose of the handbook: What is a “snapshot”? This current edition explores the trends and divergences in these national policies in order to better understand how cyberdefense intersects with cybersecurity policy. In a systematic fashion we take a snapshot of the current national cybersecurity and cyberdefense policies of eight important European and international actors – Austria, Finland, France, Germany, Italy, the Netherlands, the United Kingdom and Singapore. The collected analyses examine where these states currently stand from a policy perspective and how they deal with cyber issues. The objective of these snapshots is to provide clear information and insight into important core aspects of cybersecurity and cyberdefense policy at the state level. This is achieved by examining current and former cybersecurity, cyberdefense and national security policy and strategy documents published by countries around the world. 1 Robert S. Dewar is now Head of Cyber Security at the Geneva Centre for Security Policy. 2 It is important to note that these definitions are intended as a baseline or starting point for analysis in order to differentiate core policy documents. They are not indented to supersede or supplant any definitions provided by the national policies under examination. National definitions, where they are provided in the policy literature, are presented in the glossaries of each snapshot. 4 National Cyberdefense Policy Snapshots – Introduction The documents examined to produce these national snapshots are open-source and in the public domain. They are drawn from ministerial sources as well as publically available online repositories of such policies, including those of the European Network and Information Security Agency (ENISA)3 and NATO’s Cooperative Cyber Defense Centre of Excellence (CCDCOE).4 Open-source documents were chosen for analysis to ensure that any findings or conclusions could be published and made freely available. All of the snapshots are either compiled or at least validated by national experts. There are two consequences of basing the analysis on published policy documents that are important to note at this point. The first is that that analysis can only examine areas discussed in those documents. As a result, certain questions of interest or importance – such as the impact of new legal norms such as the Tallinn Manual or ongoing activities at European Union – can only be examined if specific mention of them is made in the policy documents. While not discussing these questions may seem like an omission on the part of the researchers and editors, they are in fact restricted by the scope of the documents used for the analysis. It is envisaged that, as the corpus of policy literature expands, so too will the areas and questions of analysis given the priorities and foci of the countries being examined. The second consequence of basing the analysis on open-source policy documents is that that there is a concentration on de jure relationships, responsibilities and actions. De facto situations are too abstract and subjective to be included as part of an analysis and he the de facto jurisdictions of a cybersecurity or cyberdefense agency present different questions to the ones being examined in the snapshots. An example of this can be found in the examination of the United Kingdom’s Government Communications Headquarters (GCHQ). This agency is heavily involved in intelligence-gathering and works closely with the UK’s Ministry of Defence. This is a de facto military relationship given the GCHQ’s work. However, the GCHQ falls under the oversight of the Foreign Office and is therefore a de jure civilian entity. This civilian nature is stated in the policy literature, from which the snapshot analysis is drawn. 3. Structure of the snapshots Each national snapshot contains four sections of analysis. Section 1 provides a timeline of document publication contextualized with major cybersecurity incidents which impacted policy development. Section 2 of each snapshot provides more detailed analysis and understanding of current policy and strategy. It zooms in on specific national security, cybersecurity and cyberdefense policy documents (where such documents exist), examines core themes, fields, tasks and priorities and extrapolates interconnections between the documents. There is a particular focus on any identifiable relationships between cyberdefense and national security policy. Section 3 continues the focused analysis, but concentrates on the organizational structures and frameworks used to develop and implement policy. It sets out any overarching frameworks, and specifies identified relationships between the various national agencies, ministries and bureaux involved in cybersecurity
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages174 Page
-
File Size-