Routledge Companion to Global Cyber-Security Strategy
eBook - ePub

Routledge Companion to Global Cyber-Security Strategy

  1. 560 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Routledge Companion to Global Cyber-Security Strategy

About this book

This companion provides the most comprehensive and up-to-date comparative overview of the cyber-security strategies and doctrines of the major states and actors in Europe, North America, South America, Africa, and Asia.

The volume offers an introduction to each nation's cyber-security strategy and policy, along with a list of resources in English that may be consulted for those wishing to go into greater depth. Each chapter is written by a leading academic or policy specialist, and contains the following sections:

  • overview of national cyber-security strategy;

  • concepts and definitions;

  • exploration of cyber-security issues as they relate to international law and governance;

  • critical examinations of cyber partners at home and abroad;

  • legislative developments and processes;

  • dimensions of cybercrime and cyberterrorism;

  • implications of cyber-security policies and strategies.

This book will be of much interest to students and practitioners in the fields of cyber-security, national security, strategic studies, foreign policy, and international relations.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weā€™ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere ā€” even offline. Perfect for commutes or when youā€™re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Routledge Companion to Global Cyber-Security Strategy by Scott N. Romaniuk, Mary Manjikian, Scott N. Romaniuk,Mary Manjikian in PDF and/or ePUB format, as well as other popular books in Politics & International Relations & Computer Science General. We have over one million books available in our catalogue for you to explore.

PART I

Europe

1
SECURING THE KINGDOMā€™S CYBERSPACE

Cybersecurity and cyber intelligence in Spain
RubƩn Arcos

Introduction

Cybersecurity is an important element in Spanish National Security; Spain adopted a specific National Cybersecurity Strategy in 2013. The Spanish Security Strategy of 2011 included ā€“ for the first time ā€“ cyber threats and attacks among the main threats to national security (Cendoya, 2016) and the National Defence Directive of 2012 also anticipated the development of a National Cybersecurity Strategy.
Spainā€™s 2017 National Security Strategy, defined by the National Security Council, identifies cyberspace as a global common space (together with maritime, airspace, and outer space) as a particular area of vulnerability, either because of the use of the cyber environment for illicit purposes (terrorism, organized crime, and disinformation campaigns), or because of cyber threats such as information theft, hacking of devices, DDoS attacks, and attacks against infrastructures considered critical, among others.
The Kingdom of Spain has a high level of commitment to cybersecurity according to the International Telecommunications Union (ITU) and is a member country of the Freedom Online Coalition. Spain is ranked in 7th position globally (with a CGI score of 0.896) and 5th regionally in the ITU Global Cybersecurity Index which aims to ā€œmeasure the commitment of countries to cybersecurity in order to raise cybersecurity awarenessā€ (ITU, 2019). Analogously to the United Kingdom, the United States, France, and Lithuania, it scored highest in the legal (ā€œexistence of legal institutions and frameworks dealing with cybersecurity and cybercrimeā€) and organizational (ā€œexistence of policy coordination institutions and strategies for cybersecurity development at the national levelā€) pillars of the ITU framework (ITU, 2019: 8).
Spainā€™s geographical setting and geostrategic position have implications in the domain of cyberspace. Its mainland national territory is located in Southwestern Europe, in the Iberian Peninsula; the Canary and Balearic Islands, as well other smaller islands and territories in North Africa, are also part of the Kingdom of Spain. As stated in the 2017 National Security Strategy:
Spainā€™s identity is at once European, Mediterranean and Atlantic. Its singular geostrategic position and natural orientation towards different spaces requires it to have its own strategic and dynamic vision. Its central position in key areas ā€“ between Europe and North Africa; between the Mediterranean and the Atlantic; and with peninsular territory, archipelagos, islands and the sovereign territories in North Africa ā€“ makes Spain a bridge between countries and cultures, conferring upon it a specific security profile.
(Presidency of the Government, 2017: 22)
The ā€œphysical segment of the cyberspaceā€ is associated with the physical infrastructure of submarine and land cables as well as satellites providing connectivity across lands and seas (Sheldon, 2014: 287). As early as at the end of nineteenth century, during the Spanish-American War, Spain experienced the disruptive effects of telegraph cable-cutting operations carried out by the US Navy targeting the communications between Spain and its colonial territories.
Moreover, with over 95 percent of international communications and data transmission occurring via the global subsea network, routine activities like sending emails overseas, searching the Internet, downloading music or video, and the like are most likely to involve underwater fibre-optic cables (Carter & Burnett, 2015: 349).
Securing this physical segment in the strategic maritime domain is thus critical for a ā€œmaritime nation like Spainā€ (Departamento de Seguridad Nacional, 2013: 12). However, this physical infrastructure is mainly owned by private operators which has important implications for sovereignty and autonomy. For example, the transatlantic submarine cable MAREA1 connects Sopelana (Spain) and Virginia (US) ā€“ its two landing points ā€“ and is owned by a partnership comprising Microsoft, Facebook, and TelefĆ³nicaā€™s Telxius. Also, in the Bay of Biscay, Tata Communications owns and operates VSNL Western Europe (formerly named TGN Western Europe), a submarine cable connecting Spain and Highbridge in the UK (Red ElĆ©ctrica de EspaƱa, 2017; Telegeography, 2019). Figure 1.1illustrates these submarine cable connections with Spainā€™s mainland, as well as connections in and between the Canary and Balearic Islands, with North Africa.
Figure 1.1 Submarine Communications Cable Map
Source: Telegeography (2019).
As Sheldon (2014: 288ā€“289) argues, ā€œthe ubiquity of cyberspaceā€ should not obscure the role played by ā€œgeography and geopolitics in its useā€ since:
the target itself is geographically located in that the computer network penetrated, the data pilfered or otherwise manipulated, and the political, economic, and military significance of the data are owned by and within the sovereign territory of some political entity.
The Spanish Maritime Security Strategy of 2013, highlights that ā€œmaritime connectivity between the mainland and the islands and the Autonomous Cities of Ceuta and Melilla is one of the pillars of Spainā€™s geopolitical structureā€ and points out threats from cyberspace as one the potential risks and threats against the multiple national interests in the maritime security dimension (Gobierno de EspaƱa, 2013).

National cybersecurity system

The National Cybersecurity Council (CNC) is the specialized committee and collegiate body for supporting the National Security Council (CNS) in the field of cybersecurity. The creation of the CNC was an initiative agreed at the CNS meeting of December 5, 2013. At that same meeting the first specific National Cybersecurity Strategy was adopted, this strategic document is the framework for reference regarding cybersecurity in Spain.2 The National Cybersecurity Strategy was updated on April 12, 2019 after of the meeting of the CNS and was publicly released as the National Cybersecurity Strategy by the Order PCI/487/2019 of April 26. The National Cybersecurity Strategy 2019 specifies the components that make up the structure of the Spanish cybersecurity apparatus in the framework of the National Security System: (1) National Security Council (Government Delegate Commission for National Security); (2) Situation Committee for Crisis Situations; (3) National Cybersecurity Council; (4) Permanent Commission on Cybersecurity; (5) National Forum of Cybersecurity; and (6) competent public authorities and national Computer Security Incident Response Teams (CSIRTs) of reference (Orden PCI/487/2019).3
The CNS, in its capacity as the Government Delegate Commission for National Security, is the body responsible for assisting the Prime Minister in the direction of the Spanish National Security Policy. As stated in the strategy, the CNS acts through the Department of National Security (DSN) ā€“ which part of the Cabinet of the Presidency of the Government (Prime Minister) ā€“ as single point of contact for liaison and for ensuring cross-border cooperation with other member countries of the EU. The Situation Committee is also supported by the DSN and follows the direction of the CSN in crisis situations.
The National Cybersecurity Council met on April 9, 2019 with three main points on the agenda: (1) evaluation and monitoring of the work carried out in the preparation of the National Cybersecurity Strategy of 2019; (2) actions carried out to counter disinformation and protection of electoral processes ā€“ Spanish elections of April and European elections of May 2019; and (3) the security of 5G telecommunications networks (DSN, 2019b). On April 12, the National Security Council held its last meeting before the April 28 Elections and the Prime Minister, Pedro SĆ”nchez, highlighted the key role of cybersecurity in ā€œthe preservation of the rights and liberties of citizens, the defence of Spain, as well as the transformation of our digital society necessary for progress, innovation and industrial developmentā€ (DSN, 2019c).
According to the ORDER PRA/33/2018 of January 22, the National Cybersecurity Council has, among others, the following functions: proposing guidelines on the planning and coordination of the National Security policy with regard to cybersecurity; supporting the CNS in its function of verifying the degree of compliance with the National Security Strategy in relation to cybersecurity; contributing to normative proposals for strengthening the National Security System in the field of cybersecurity; supporting CSN decision-making on cybersecurity matters, through analyses, studies and proposals; strengthening relationships with the relevant Public Administrations in the field of cybersecurity; the coordination, collaboration, and cooperation between public and private sectors; and assessing risk and threats as well as analysing likely crisis scenarios in support of the Situation Committee (ORDER PRA/33/2018). The presidency of the CNC is held by the Secretary of State Director of the National Intelligence Centre while the post of Vice-President is held by the Director of the DNS. The DNS is designated both as the permanent working body of the Cybersecurity Council as well as its technical secretariat (ORDER PRA/33/2018).
As stated above, the National Security Council, through the DSN, is the Spanish designated single point of contact for ā€œcoordinating issues related to the security of network and information systems and cross-border cooperation at union levelā€4 ā€“ the NIS Cooperation Group ā€“ while the National Cryptologic Centreā€™s CCN-CERT (public sector) and the National Cybersecurity Instituteā€™s INCIBE-CERT (private sector) are the designated national CSIRTs for the CSIRTs Network.5 According to a press release by the French Agence nationale de la sĆ©curitĆ© des systĆØmes dā€™information (ANSSI), on July 2019 the national cybersecurity authorities of 23 Member States, ENISA, and the European Commission gathered for the first time at high level in Paris to run the table-top exercise Blue OLEx ā€“ a joint proposal by France and Spain in which ā€œon the basis of several short scenariosā€ the responsible authorities discussed on ā€œthe mechanisms that could be implemented to efficiently manage a cyber crisis affecting the EU Member Statesā€ (ANSSI, 2019).
The National Cybersecurity Strategy 2019 establishes both the Permanent Commission on Cybersecurity and the publicā€“private National Cybersecurity Forum but these elements in the cybersecurity system require further development and implementation.
Relationships between relevant public cybersecurity organizations and private companies are solid as evidenced by different initiatives such as the establishment of the non-profit and independent association CSIRT.es, which integrates computer security incident response teams. According to official studies, the cybersecurity industry integrated over 530 active companies in Spain in 2014.6 The CSIRT.es Forumā€™s website includes some of the relevant membership CSIRT/CERT teams from private companies.7
The Royal Decree 12/2018, of September 7, of Security of Network and Information Systems, incorporates the European Network and Information Systems Directive, to the national legal framework. Articles 9 and 11 designate the competent authorities and the Computer Security Incident Response Teams of reference (CSIRTs) as illustrated in Table 1.1. Accordingly, the CSIRT/CERT of reference are:
  1. For the operators of essential services:
    1. The CCN-CERT, of the National Cryptologic Center, which corresponds to the community of reference constituted by the public sector ā€“ as described in the Article 2, Chapter 1, of the Law 40/2015 of October 2.8
    2. The INCIBE-CERT, of the National Cybersecurity Institute of Spain, which corresponds to the reference community constituted by those entities not included in the subjective scope of application of Law 40/2015. The INCIBE-CERT is operated jointly by the INCIBE and the CNPIC (Ministry of Interior) in all that refers to the management of incidents that affect the critical operators.
    3. The ESPDEF-CERT, of the Ministry of Defense, which will cooperate with the CCN-CERT and INCIBE-CERT in those situations that they require in support of the operators of essential services and, necessarily, in those operators that have an impact on National Defense and that are determined by regulation.
  2. For digital service providers that are not included in the CCN-CERT community of reference, the INCIBE-CERT is the CSIRT of reference. INCIBE-CERT is also the incident response team of reference for citizens, private law entities and other entities not included in the section 1 above (Royal Decree 12/2018).
Table 1.1 Royal Decree-Law 12/2018, of September 7, on Network Security and Information Systems
Scope CSIRT of Reference Authority of Reference
Operator of Essential Services Critical Private Sector ESPDEF-CERT (Joint Cyber Defence Command) Cooperation with the CCN-CERT and INCIBE-CERT in those situations that they require in support of the operators of essential services and, necessarily, in those operators that have an impact on National Defense and that are determined by regulation. INCIBE-CERT National Centre for Critical Infrastructure Protection and Cybersecurity (CNPIC) of the State Secretariat for Security (Ministry of Interior)
Public Sector CCN-CERT
Non-Critical Private Sector INCIBE-CERT Sectorial Authority
Public Sector CCN-CERT National Cryptologic Centre (CCN) (Ministry of Defence)
Provider of Digital Services Critical Private Sector INCIBE-CERT National Centre for Critical Infrastructure Protection and Cybersecurity (CNPIC) of the State Secretariat for Security (Ministry of Interior)
Public Sector CCN-CERT
Non-Critical Private Sector INCIBE-CERT Secretariat of State for Digital Advancement (SEAD) of the Ministry of Economy and Business
Public Sector CCN-CERT National Cryptologic Centre (CCN)
Source: CCN-CERT IA 13/19 and Royal Decree 12/2018.9
Regarding coordination betwe...

Table of contents

  1. Cover
  2. Half Title
  3. Title Page
  4. Copyright Page
  5. Table of Contents
  6. List of figures
  7. List of tables
  8. List of contributors
  9. Foreword: Global cybersecurity in the 21st century
  10. Introduction: cybersecurity strategy and policy in a comparative context
  11. Part I: Europe
  12. Part II: Asia and Australia
  13. Part III: The Middle East
  14. Part IV: The Americas
  15. Part V: Africa
  16. Index