Cybersecurity Strategy of the Kyrgyz Republic for 2019-2023

Strategies and Action Plans

This is not an official translation. Pleaser refer to the source material.

I. Introduction

Information and communication technologies have now become one of the most widespread, core, global technologies that determine the dynamics of development of the world economy and individual niches and segments dependent on it.

The Internet is a central component of the global information technology and communications industry. According to the International Telecommunication Union, by the end of 2018, more than 3.9 billion people had access to the global network. The trend in the spread of Internet technologies shows annual growth, and according to forecasts of the International Telecommunication Union, by 2023, 70 percent of the world’s population will have access to the Internet.

At the same time, information and communication technologies in all sectors of economic, business, management and other activities act as a global converter from analogue to digital format of business processes, contribute to the transformation of all kinds of interaction at the level of individual citizens, business, government, as well as at the international level .

The global trend of digitalization creates high added value, reduces time, material, administrative and other costs in all types of processes, transactions and other interactions.

Under these conditions, the Kyrgyz Republic is making its own move towards the digital transformation of the national economy and ensuring citizens’ access to modern digital services. Building a digital economy within the framework of this Strategy is considered as a necessary condition and national priority for the development of the Kyrgyz Republic in the short and medium term. The contours of the digital transformation strategy of the Kyrgyz economy are formed within the framework of the Digital Transformation Concept “Digital Kyrgyzstan 2019-2023”, approved by decision of the Security Council of the Kyrgyz Republic dated December 14, 2018 No. 2 (hereinafter referred to as the Concept).

A necessary condition for solving problems and achieving the goals set within the framework of this Concept and possible other initiatives for the digital transformation of the national economy is to ensure the security of relevant infrastructures, services and business processes. It is necessary to take into account that the development of information and communication technologies and the digital economy inevitably entails certain risks and threats. However, at present, the basic conditions have not been created in the Kyrgyz Republic, without which it is impossible to ensure the security of digital transformation and the development of the national information technology and communications industry as a whole. Including:

– there is no framework document that forms the doctrinal basis and acts as a unified “system of coordinates” for state policy in the field of cybersecurity;

– there are significant gaps in the system of regulatory legal acts and cybersecurity policies (lack of a system and approaches to responding to computer incidents, ensuring the security of the critical information infrastructure of the Kyrgyz Republic, international cooperation in the field of cybersecurity);

– in those areas of public policy where the system of regulatory legal acts and the approaches they set to regulating the sphere of information technologies and information and communication technologies is present, there is its incompleteness and lag behind current trends in the development of information and communication technologies and cybersecurity (countering computer crime, regulation in areas of information security, technical standardization in the field of information technology);

– an approach to ensuring the required level of computer hygiene and digital literacy, as well as, in general, to building capacity among various subjects (state civil servants, law enforcement officers) for the implementation of state policy in the field of cybersecurity has not been built.

To solve these problems and eliminate gaps, it is necessary to form a system of principles and strategic directions for building a national cybersecurity system, which will serve as the basis for the formation and implementation of the state policy of the Kyrgyz Republic in this area. At the same time, it is necessary to take into account international experience, best practices and recommendations, but at the same time proceed from the specific conditions of the Kyrgyz Republic, which include the following:

– land location of the Kyrgyz Republic, lack of access to the sea, relatively low level of development of information and telecommunications infrastructure in the region;

– partial historical continuity of the system of legislation, technical regulation and state institutions of the Kyrgyz Republic in the field of information security in relation to the USSR and a historically determined orientation towards integration formats of the post-Soviet space. This feature increases the importance of the task of developing approaches to the conceptual apparatus of cybersecurity, regulation of means of cryptographic information protection and technical standardization in the field of information technology and communications, which will allow the public policy of the Kyrgyz Republic to be adapted to the best international practices and experience, without destroying the historically established regulatory system;

– dependence of the Kyrgyz Republic in matters of testing and certification of cryptographic information protection means and organization of interstate electronic interaction within the framework of the EAEU format. This factor necessitates the formation of national resources and institutional mechanisms of the Kyrgyz Republic, including for independently solving such problems;

– an extremely small volume of the domestic market for tools and solutions in the information technology and communications industry, including the cybersecurity sector of the Kyrgyz Republic, and almost complete dependence on foreign suppliers of software and hardware products. This circumstance increases the importance of the task of developing a national certification system for imported products in the field of information technology, as well as testing it for vulnerability and undeclared capabilities to maintain technical neutrality and sovereignty.

II. Basic principles of a cybersecurity strategy

1. Maintaining a balance of interests of the individual, society and the state. The primary subject and beneficiary of the implementation of this Strategy are citizens of the Kyrgyz Republic. Effective practical implementation and release of material and financial resources to achieve the goals of the Strategy are ensured through the development of mechanisms of public-private interaction in the information technology and communications industry, as well as the minimization of regulatory legal and other administrative barriers to the development of initiatives in the field of cybersecurity.

2. Complex nature. The Strategy provides the foundation for building a comprehensive, unified and end-to-end government policy in the field of cybersecurity of the Kyrgyz Republic:

1) the comprehensive nature of state policy includes the tasks of ensuring cybersecurity in all key areas, all sectors, considering such areas and sectors not separately, but in mutual connection;

2) the unified nature of state policy presupposes general coordination and work to solve the assigned tasks of ministries and departments of the Kyrgyz Republic, as well as close interaction between government agencies and the private sector, the academic and engineering communities, and non-governmental organizations;

3) the cross-cutting nature of state policy involves the development and implementation of measures at all levels: from the individual citizen to the state as a whole.

3. Priority to ensure the security of critical information infrastructure. Ensuring the cybersecurity of the critical information infrastructure of the Kyrgyz Republic is a key link in the formation and implementation of state policy in the field of cybersecurity. At the same time, the lack of a systematic approach and regulatory framework in this area represents the most serious obstacle to ensuring cybersecurity in the process of digital transformation of the domestic economy. The most important conditions for the successful implementation of public policy in this part are: a clear definition of critical information infrastructure objects based on a system of criteria and measurable parameters, active interaction with the private sector, building a comprehensive system of measures and requirements to ensure the cybersecurity of critical information infrastructure. At the same time, the main task is to ensure the availability, integrity and confidentiality of information in information systems, as well as ensuring the stability and continuity of the functioning of critical information infrastructure objects in the conditions of computer attacks and computer incidents. In the chain “incident prevention – incident management – recovery after an incident,” the priority is to prevent an incident through regulatory, organizational, technical and other measures and resources.

4. Connection and subordination of the goals of the Strategy to the general objectives of socio-economic development, including the digital transformation of the economy of the Kyrgyz Republic. Ensuring the cybersecurity of citizens, society and the state, being an independent task, fits into the general context of the development of the information technology and communications industry in the Kyrgyz Republic and is carried out as an integral component of state policy to increase the level of development of the information technology and communications industry in the Kyrgyz Republic, expand and improve the system electronic management services and electronic document management services, as well as the implementation of the Concept. Investing the necessary resources in ensuring cybersecurity should not lead to slowing down the processes of digital transformation of the economy of the Kyrgyz Republic.

5. Step-by-step approach and taking into account resource limitations. Cybersecurity Strategy of the Kyrgyz Republic and Plan actions for its implementation involve a breakdown of tasks into stages within the horizon of 2023, prioritization of tasks and taking into account the resource limitations that exist at the initial stage. As a matter of priority, it is necessary to ensure the filling of the main gaps in the system of regulatory concepts, legislation and institutions of the Kyrgyz Republic necessary for the implementation of state policy in the field of cybersecurity (the conceptual apparatus of cybersecurity, regulatory legal acts in the field of ensuring the security of critical information infrastructure, the organizational and legal foundations of the domestic response system on computer incidents, a system of interdepartmental coordination of state policy in the field of cybersecurity, the development of a system of technical standardization and initiatives in the field of international cooperation, etc.). Limitations on financial, material, technical and human resources shift the implementation of a number of tasks to a later date (deep industry specialization of computer incident response centers, development of a system of proprietary cryptographic standards, formation of the Kyrgyz Republic’s own cyber defense system, development of specialized cybersecurity policies for new niches of digital infrastructure , such as the Internet, large amounts of data, distributed registries, etc.).

6. Integration and continuity in relation to current regulatory legal acts. The most important condition is the absence of contradictions between the goals, content and principles of state policy in the field of information security, already established in the Kyrgyz Republic. This Strategy does not create the need to cancel or revise the current policy framework in the field of technical standardization and technical regulation in terms of information technology, and also does not contradict the current system of regulatory legal acts, as well as international treaties that have entered into force in accordance with the procedure established by law, to which the Kyrgyz Republic is a party. .

7. The priority role and multi-vector nature of international cooperation in the field of cybersecurity. The strategy involves the active participation of the Kyrgyz Republic in various international formats and work processes in the field of cybersecurity. The fundamental principle of such cooperation on the part of the Kyrgyz Republic is its multi-vector nature and maximum depoliticization.

III. Goal and objectives

8. The purpose of this Strategy and Action Plan is to form a domestic cybersecurity system and policy to ensure an appropriate level of security for citizens, businesses and the state, allowing them to protect their vital interests in cyberspace and ensure sustainable socio-economic development of the Kyrgyz Republic, including the digital transformation of the economy.

9. The implementation of the Strategy will be carried out in conjunction with a set of measures of the “road map” for the implementation of the Concept of digital transformation “Digital Kyrgyzstan 2019-2023”.

10. The objectives of the Strategy and Action Plan are:

1) formation of the basis for a unified system and policy for ensuring cybersecurity of the Kyrgyz Republic;

2) formation of a unified conceptual and methodological apparatus in the field of cybersecurity;

3) reducing the number and minimizing the consequences of computer incidents at information infrastructure facilities of the Kyrgyz Republic through the formation and development of a domestic system for preventing, responding to and managing computer incidents;

4) formation of an organizational, technical and regulatory legal framework for a system of testing and certification of information security tools and cryptographic information security tools;

5) modernization of the system of national standards in the field of cybersecurity and information protection;

6) increasing the level of human resources for the implementation of the state policy of the Kyrgyz Republic in the field of cybersecurity.

11. As a result of solving the assigned tasks, it is possible to ensure the security of critical information infrastructure, including redundancy of critical information infrastructure objects, ensuring the stability of critical information infrastructure objects in the conditions of computer incidents and computer attacks, the continuity of functioning of critical information infrastructure objects and the prevention of significant computer incidents at such objects; reducing the number and reducing the damage from illegal actions carried out using information and communication technologies (computer crime) by improving legislation in the field of combating computer crime, investigating computer crimes and intensifying international cooperation in this area.

IV. Basic Concepts

12. The Strategy uses the following terms and their corresponding definitions:

information space – a complex field of activity related to the formation, creation, transformation, transmission, use, storage of information that has an impact on the information infrastructure and information, including individual and public consciousness;

cyberspace – the sphere of activity in the information space, formed through any forms of interaction between people, software and services, carried out using information and telecommunication networks (including the global information and telecommunications network Internet) and any other types of information infrastructure;

cybersecurity – maintaining the properties of integrity (which may include authenticity and fault tolerance), availability and confidentiality of information of information infrastructure objects, ensured through the use of a set of tools, strategies, security principles, security guarantees, approaches to risk management and insurance, professional training, practical experience and technologies;

information infrastructure – a set of information systems, information and telecommunication networks and automated process control systems used for the formation, creation, transformation, transmission, use and storage of information, as well as control of technological processes;

critical information infrastructure of the Kyrgyz Republic – a set of state information systems, state information and telecommunication networks and automated process control systems operating in the public administration sector and state electronic services, healthcare, transport, telecommunications and communications, credit and financial sector, defense sector, fuel industry, generation industry and power distribution, food processing and mining;

objects of critical information infrastructure of the Kyrgyz Republic – state information systems, state information and telecommunication networks and automated process control systems (hereinafter referred to as state systems), operating in the sectors of public administration, state electronic services, healthcare, transport, telecommunications and communications, credit and financial sector, defense sector, fuel industry, power generation and distribution industry, food industry and mining industry;

computer attack – targeted impact by software or hardware and software on information systems, information and telecommunication networks, communications and automated process control systems, carried out in order to disrupt their functioning and (or) violate the security of the information they process;

computer incident – an event of disruption or termination of the functioning of an information infrastructure object and (or) a violation of the security of information processed by such an object, including those caused by a computer attack.

V. Key areas of activity for the formation of public policy in the field of cybersecurity

5.1. Formation of a unified system of cybersecurity measures

13. As part of solving the task of building a comprehensive, unified and end-to-end system of state policy in the field of ensuring cybersecurity of the Kyrgyz Republic, the following measures are being implemented within the time horizon of 2023:

1) strengthening interdepartmental cooperation on the formation and implementation of state policy in the field of cybersecurity.

To build a unified system of public policy in the Kyrgyz Republic, it is necessary to establish systematic interaction between relevant government bodies in terms of exchanging information about cybersecurity threats and incidents, receiving and providing assessments of the implementation of measures to ensure cybersecurity, the current development of departmental approaches to regulation and other issues.

A related task is to establish direct channels of interaction to address cybersecurity issues, conduct dialogue and interaction between the executive and legislative branches of government in order to timely develop and resolve multi-level issues of public policy in the field of cybersecurity.

In order to ensure effective interaction, a consultation and coordination platform is provided under the Government of the Kyrgyz Republic, which should ensure the performance of the following functions:

a) coordination and improvement of interaction between interested government bodies or enterprises, institutions and other organizations, regardless of their form of ownership, in the field of cybersecurity;

b) formation of a unified policy on cybersecurity and ensuring the security of critical information infrastructure;

c) coordination and discussion, recording and presentation of positions on policy issues in the field of cybersecurity at the domestic level;

d) submitting regular reports to the Jogorku Kenesh of the Kyrgyz Republic and the President of the Kyrgyz Republic on the implementation of the provisions of regulatory legal acts, organizational, technical and other measures, as well as measures within the framework of state policy in the field of cybersecurity;

e) facilitating the exchange of information and other interaction between executive authorities of the Kyrgyz Republic on the implementation of state policy in the field of cybersecurity;

g) monitoring the implementation of the Cybersecurity Strategy of the Kyrgyz Republic and the Action Plan for its implementation, coordinating the development, refinement and updating of these documents.

2) determination of the authorized body in charge of issues of national security of public authorities, authorized in the field of ensuring cybersecurity:

a) the definition of a specialized regulator does not mean that all the functions and tasks of executive authorities in the field of cybersecurity are limited to it; each agency retains its sector of responsibility in the field of cybersecurity in accordance with its powers.

At the same time, the area of ​​responsibility of the body authorized in the field of cybersecurity includes the following issues:

a) defining a policy to ensure cybersecurity of individuals, society and the state;

b) ensuring compliance with established requirements for the protection of critical information infrastructure facilities, interacting with operators of critical information infrastructure facilities, coordinating the further development of the system for ensuring the security of critical information infrastructure, including in terms of the development and implementation of regulatory legal acts of the Kyrgyz Republic;

c) control and coordination of the activities of the National Center for Response to Computer Incidents;

d) coordination of the activities of centers for responding to computer incidents (private, financial and other);

e) organizing and ensuring activities to conduct regular cyber exercises with the participation of government bodies of the Kyrgyz Republic and private sector organizations;

f) implementation of international cooperation within the framework of powers established by regulatory legal acts of the Kyrgyz Republic;

g) informing the Government of the Kyrgyz Republic about the dynamics of development of risks and threats to cybersecurity of the Kyrgyz Republic in the field of security, as well as informing about key cybersecurity incidents, including information about incidents in critical information infrastructure and their consequences for the Kyrgyz Republic;

h) organizing and ensuring the activities of the coordination center for ensuring information and cyber security;

i) organization of interaction between the National Center for Response to Computer Incidents and other centers for response to computer incidents of the Kyrgyz Republic (private, financial and other);

3) formation of a coordination center for ensuring information and cyber security of the Kyrgyz Republic, subordinate to the state body in charge of national security issues. The activities and work model of the coordination center for ensuring information and cyber security may correspond to the following parameters:

a) the coordination center for ensuring information and cyber security is the main mechanism for interdepartmental coordination and exchange of information on cyber security issues between government agencies, business and the expert community;

b) the coordination center for ensuring information and cyber security collects, analyzes and forms a unified database of incidents and threats in the field of cyber security;

c) the coordination center for ensuring information and cyber security also serves as a platform for dialogue on the implementation of state policy and practical interaction in the field of ensuring cyber security between government agencies and other interested parties, including organizations in the information technology and communications industry of the Kyrgyz Republic, as well as operators of critical information facilities infrastructure.

To organize a dialogue on the implementation of state policy in the field of cybersecurity, regular discussions are organized at the site of the coordination center for ensuring information and cybersecurity with the participation of representatives of all interested parties, including representatives of:

a) relevant government bodies;

b) government organizations of the Kyrgyz Republic and technical structures involved in the implementation of state policy in the field of cybersecurity;

c) the private sector of the Kyrgyz Republic, including the information technology and communications sector, as well as industry associations of the information technology and communications sector;

d) the academic environment, the engineering and technical community and non-governmental organizations of the Kyrgyz Republic, whose scope of activity affects the information technology and communications sector.

The coordination center for ensuring information and cyber security is assigned operational and technical functions, including:

a) in the event of significant cybersecurity incidents or the presence of a high risk of such incidents, together with the National Center for Response to Computer Incidents, promptly informing the population, government agencies, and private organizations;

b) receiving appeals and requests from government bodies, citizens, private organizations on issues of ensuring cybersecurity and risk management; providing information and issuing clarifications on these requests;

c) in accordance with the assigned powers, interaction in terms of the exchange of information on cybersecurity issues with international partners of the Kyrgyz Republic within the framework of formats and mechanisms of interaction to which the Kyrgyz Republic has joined;

d) a platform for information and resource support and interaction with participants in public-private partnerships in the field of information and communication technologies and cybersecurity;

e) performing other tasks within his competence.

5.2. Ensuring the security of critical information infrastructure of the Kyrgyz Republic

14. One of the objectives of this Strategy is the formation of a unified system for ensuring the security of the critical information infrastructure of the Kyrgyz Republic.

15. State policy in this area is implemented by:

1) definitions of sectors, industries and areas of activity in which critical information infrastructure objects operate, including government systems in the following sectors and areas:

– sector of public administration and government electronic services;

– healthcare sector;

– transport industry;

– telecommunications and communications industry;

– credit and financial sphere;

– defense sector;

– fuel industry;

– electricity generation and distribution industry;

– food industry;

– mining industry;

2) development and approval of criteria and parameters that determine whether objects belong to the critical information infrastructure.

The criteria include potential consequences, the occurrence of which may result in disruption of the functioning of the facility in the field of defense capability, socio-economic, socio-political and management spheres.

The parameters are necessary to categorize a separate information infrastructure object in order to establish its significance as an object of critical information infrastructure. Significance parameters vary depending on the type of functions provided by the facility, but are measurable, quantitative in nature and are based on linking the performance of the facility to the share of the economically active population of the Kyrgyz Republic covered by or dependent on the services of that particular facility.

To solve this problem, by the end of 2023 it is necessary to develop and adopt the Law of the Kyrgyz Republic on the security of critical information infrastructure, as well as to form a system of by-laws that ensure the implementation of the provisions of this Law.

16. For operators of critical information infrastructure, it is necessary to establish mandatory requirements to ensure the security of their facilities, including:

a) requirements for the reservation of critical information infrastructure facilities, the functioning of which they ensure, including quantitative indicators of resource reservation and the formation of an “operational reserve” for key nodes of their information infrastructure;

b) requirements for the development and approval of a security policy for critical information infrastructure facilities, which include the formation of threat models for specific critical information infrastructure facilities, the development of plans for the prevention, management and recovery from computer incidents;

c) requirements for the installation and use of computer intrusion prevention and detection tools, as well as computer attack detection and prevention tools, and other means of ensuring the security of critical information infrastructure facilities;

d) requirements for the organization of cybersecurity units in the staff structure of operators of critical information infrastructure facilities;

e) requirements for mandatory information by operators of critical information infrastructure facilities of the National Center for Response to Computer Incidents about facts of computer incidents at critical information infrastructure facilities, including significant computer incidents, as well as for ensuring regular exchange of information about threats and vulnerabilities with the National Center for Response to Computer Incidents computer incidents.

5.3. Formation of a system for preventing, responding and managing computer incidents

17. As part of solving the problem of reducing the number and minimizing the consequences of computer incidents at the information infrastructure facilities of the Kyrgyz Republic, a system for preventing, responding to and managing computer incidents in the Kyrgyz Republic will be created. The central links of this system:

a) coordination center for ensuring information and cyber security;

b) the center for responding to computer incidents of the authorized state body in the field of cybersecurity (National Center for Responding to Computer Incidents);

c) infrastructure of centers for responding to computer incidents (private, financial and other);

d) organizing activities to conduct regular cyber exercises with the participation of government agencies and private sector organizations, including operators of critical information infrastructure facilities.

18. To create and deploy such a system, the following measures must be taken:

1) activities to prevent, respond and manage computer incidents within the framework of the implementation of this Strategy will allow:

– taking into account international experience (including CC-CERT, AP-CERT, US-CERT, IMPACT-ITU, FIRST, FIN-CERT of the Russian Federation) to develop and implement a system for classifying cybersecurity incidents. The classification system should be based on practical criteria (the time required to restore systems whose functioning was disrupted during the incident; the degree of disruption to the functioning of systems as a result of the incident; potential or real consequences of the incident – information leakage, data deletion, damage to physical infrastructure, etc.);

– based on the classification, a scale of levels of cybersecurity incidents is formed, which is a necessary tool in developing a system of requirements for the protection of information systems, including information systems of government agencies and critical information infrastructure facilities. Incidents at the higher end of the scale are classified as significant cybersecurity incidents. Providing measures to prevent and eliminate the consequences of significant incidents, as well as informing about the facts of such incidents, is mandatory for a wider range of entities compared to other categories (levels) of incidents;

– obtain accreditation of centers for responding to computer incidents CC-CERT, FIRST and other international formats, allowing you to comply with the best international practices and standards in the field of responding to computer incidents (including a 24x7x365 operating model and the minimum time to begin responding to incoming reports of computer incidents) ;

– develop and approve requirements for critical information infrastructure facilities for organizing information exchange and other interaction with the National Center for Response to Computer Incidents. In particular, the requirements should provide for the formation of a system of mandatory reporting of computer incidents that occurred at critical information infrastructure facilities.

The system of approved requirements should be aimed at:

a) formation of a system of concepts and definitions of a computer incident, computer attack and other cybersecurity events that create cybersecurity threats to critical information infrastructure facilities;

b) development and approval of requirements for operators of critical information infrastructure facilities, regarding the provision of information and reports on computer incidents to the coordination center for ensuring information and cyber security;

c) create, at the coordination center for information and cyber security, a unified repository of data on computer vulnerabilities and malicious software, replenished by operators of critical information infrastructure facilities, as well as open for replenishment by private organizations and individuals;

d) at the site of the coordination center for ensuring information and cyber security, develop an action plan in case of an emergency, including disruptions in the functioning of telecommunication networks and information infrastructures on the territory of the Kyrgyz Republic. Regularly update and update the exercise plan and threat models and emergency scenarios tested during the exercise.

5.4. Countering computer crime

19. The strategy is based on the need to counteract growing high-tech crime, including cross-border computer crimes committed against individuals, organizations and the state both in the territory of the Kyrgyz Republic and from abroad. As part of the Strategy, the emphasis in combating modern computer crime is on the following:

a) the need to consolidate in the Criminal Code code The Kyrgyz Republic criminalizes computer crimes in accordance with international approaches to combating cybercrime;

b) consolidation in the Criminal Procedure code Kyrgyz Republic methods and means of computer forensics, introduction to Criminal Procedure code of the Kyrgyz Republic and related regulatory legal acts of the concept of digital evidence, description and presentation of its criteria, characteristics and methods of recording. Ensuring the recognition of the legal force of digital evidence on an equal basis with other evidence;

c) ensuring the harmonization of the legislation of the Kyrgyz Republic in terms of criminalization and investigation of computer crimes, cross-border extradition from the territory of the Kyrgyz Republic of persons suspected of committing computer crimes or convicted of committing them on the territory of foreign states;

d) considering the possibility of involving private companies in collecting digital evidence and conducting forensic examinations of digital evidence for law enforcement agencies of the Kyrgyz Republic.

5.5. Formation of an information protection system, including cryptographic information protection

20. Within the framework of the Strategy, the goal is to form a comprehensive and unified state policy of the Kyrgyz Republic in the field of cryptographic information protection. The policy being formed and implemented follows the principle of coordinating approaches and dividing tasks: at the level of technical standardization of cryptographic algorithms and functions, at the level of forming a system for testing and certification of information security tools, including cryptographic information security tools used in business processes of government agencies of the Kyrgyz Republic.

At the level of technical standardization in the field of cryptographic information protection, the adoption of standards of the Kyrgyz Republic, harmonized with international standards, must be ensured. At the same time, the adopted standards of the Kyrgyz Republic describe the mathematical parameters of internationally recognized and used cryptographic algorithms.

At the level of testing and certification of information security means and cryptographic information protection means, it is necessary to ensure the development of requirements for information security means, including those used in administrative procedures of government bodies of the Kyrgyz Republic. At the critical information infrastructure facilities of the Kyrgyz Republic, the implementation of a testing and certification system for cryptographic information protection means must be ensured. Among the priority measures in this direction should be the formation of a system of testing centers (laboratories) that test information security tools, including cryptographic information security tools. The principle of forming such a system in the Kyrgyz Republic can also be a public-private partnership, including the connection of intellectual and material resources, as well as competence centers of the private sector to the process of formation and development of a system of testing centers (laboratories) for cryptographic information security tools used in the territory Kyrgyz Republic.

21. An important element of state policy in the field of cryptographic information protection of the Kyrgyz Republic is the formation of a system of organizations that carry out certification of information security means, including cryptographic information protection means, in terms of their engineering and technical security, based on the results of testing such means in testing centers (laboratories) on territory of the Kyrgyz Republic.

22. Within the framework of the Strategy, it is planned to create the minimum required number of state organizations for certification of information security means.

5.6. Formation of a unified approach to ensuring cybersecurity in the public sector of the Kyrgyz Republic

23. In terms of determining the relationship between the information space and cyberspace, the Strategy is based on the vision set out in the international standard ISO/IEC 27032:2012 “Information technologies. Security methods. Cybersecurity guidelines.”

In terms of defining cybersecurity, the Strategy is based on the work of Study Group No. 17 (SG-17) of the International Telecommunication Union, set out in Recommendation X.1205 “Telecommunication Standardization Sector of the International Telecommunication Union (04/2008). Series X: Data networks, open systems interconnection and safety.”

24. Based on the practical tasks of forming the Kyrgyz Republic’s own cybersecurity system and policy, as well as taking into account the best foreign practices and international experience (including the presented ISO standards and recommendations of the International Telecommunication Union), this Strategy is based on the principle of separating information security issues into parts of the impact of content on public and individual consciousness, information warfare and information-psychological operations, from issues of cybersecurity as maintaining the integrity, availability and confidentiality of information of information infrastructure objects. According to this principle:

a) this Strategy covers exclusively cybersecurity issues in accordance with the legislation of the Kyrgyz Republic;

b) the Strategy does not address terms, challenges, threats, tasks and areas of activity related to ensuring information security, in terms of the impact of content on public and individual consciousness, information warfare and information-psychological operations, as well as the formation and implementation of state information policy and media policies;

c) the policy in the field of ensuring cybersecurity in accordance with this Strategy represents an independent and independent direction of state policy of the Kyrgyz Republic, which is implemented taking into account the development of state information policy and policy in the field of information security;

d) this Strategy, as well as the principles contained in it, do not limit state policy to ensure information security.

25. To solve the problem of increasing the level and quality of practical implementation of state policy measures in the field of cybersecurity, the strengthening of the supervisory policy in the field of personal data processing will be ensured, and uniform requirements will be established in the field of personal data processing by creating an authorized state body for personal data.

26. The Strategy provides for the creation of an authorized government body no later than 2019, with the authority to hold subjects of personal information processing accountable if they fail to comply with the requirements of the law in the field of personal data protection.

27. To ensure the security of public sector information systems of the Kyrgyz Republic, regular cybersecurity audits are envisaged; Private companies registered in the Kyrgyz Republic may be allowed to participate in such an audit after mandatory approval from the authorized government agency in charge of national security issues. In relation to government information infrastructures that, based on the results of categorization, are included in the list of critical information infrastructure objects, a mandatory procedure for testing the vulnerabilities of software and hardware products (pentest) purchased as part of the public procurement procedure is also established.

5.7. International cooperation and technical standardization

28. During 2019-2023, the Kyrgyz Republic will strengthen its presence at key international work sites for technical standardization in the field of cybersecurity and information security.

29. Harmonization is necessary with international standards in the field of cybersecurity and information security, including specialized standards of ISO/IEC, IEEE, standards of the EAEU countries, as well as documents of the Internet Engineering Task Force (IETF). The result should be an increase in the level of harmonization of domestic standards in the field of information technology cybersecurity with international ones.

It is also advisable to launch a procedure for updating interstate standards for cryptographic information protection adopted within the framework of the Interstate Committee for Standardization.

5.8. Capacity building and strengthening human resources for cybersecurity

30. The key task in terms of building human potential is the introduction of systematic teaching of the disciplines of cybersecurity, computer hygiene and digital literacy into the system of school, secondary and higher vocational education of the Kyrgyz Republic. For this purpose, a process will be launched to revise the standards of educational activities and educational regulations, with the aim of including:

a) the discipline “cybersecurity” in the list of core disciplines for technical specialties in higher educational institutions of the Kyrgyz Republic;

b) the discipline “cybersecurity” in the list of compulsory specialized disciplines for technical specialties in institutions of secondary vocational education of the Kyrgyz Republic;

c) the disciplines “computer hygiene” and “fundamentals of digital literacy” as compulsory subjects in the curricula of basic school education in the Kyrgyz Republic.

31. In addition, within the framework of the Strategy Implementation Plan, measures are envisaged to strengthen the technical competence of domestic specialists and increase their involvement in the work of the international technical community.

32. As part of building capacity to combat computer crime, it is planned to formulate and launch, including in cooperation with regional and international development partners, professional training and advanced training programs for employees of special services, law enforcement agencies, prosecutors, as well as judges, in part of improving the skills of investigation and conduct of criminal proceedings on facts of computer crimes.

VI. Expected results, favorable conditions and risks of implementing the strategy

33. The adoption and timely implementation of the provisions of this Strategy will further allow:

– create institutional and basic conditions for the development of sectoral programs and work plans of the authorized government body, competent government bodies of the Kyrgyz Republic, involved public organizations, business initiatives and citizens;

– create a platform for information and resource support and interaction among all interested parties in the field of development of information and communication technologies and cybersecurity;

– create a unified conceptual apparatus and a special legal framework that defines the norms and rules of lawful behavior in the field of ensuring cybersecurity, as well as regulating the activities of government bodies in this area;

– build a system of cybersecurity bodies, including identifying an authorized state body responsible for the state of cybersecurity in the Kyrgyz Republic;

– introduce uniform rules for auditing and control of cybersecurity;

– introduce liability for crimes in the field of cybersecurity, including cross-border computer crimes, into the legislation of the Kyrgyz Republic, introduce and improve methods for detecting, collecting, recording and presenting evidence of illegal activities using computer technologies;

– identify critical information infrastructure facilities, creating uniform standards for ensuring their security, as well as forming a system of coordination and control, as well as an action plan in case of emergency situations;

– introduce a system of testing and certification of information security tools and cryptographic information security tools;

– through the introduction of special disciplines (cybersecurity, computer hygiene and digital literacy) into the system of school, secondary and higher vocational education of the Kyrgyz Republic, increase human potential;

– harmonize legislation, unify terms and concepts, as well as international standards in the field of cybersecurity in order to eliminate barriers and develop international scientific, technical and legal cooperation, ensure the full participation of the Kyrgyz Republic in international mechanisms for regulating relations related to ensuring cybersecurity;

– to form and launch, in collaboration with regional and international partners, a program for the development of professional training and advanced training for employees of special services, law enforcement agencies, prosecutors, as well as judges, in terms of improving the skills of investigation and conducting criminal proceedings in cases of computer crimes.

Taken together, these achievements will outline the framework of the domestic cybersecurity system of the Kyrgyz Republic and will allow for the further development of the architecture of the cybersecurity system.

34. Favorable prerequisites for the successful implementation of the Strategy:

a) availability of support from political, legislative and administrative bodies of state power in matters of implementation, use and development of information and telecommunication technologies and ensuring their security;

b) the interest of international partners from among representatives of various institutions of foreign states and international organizations in providing assistance in building a technologically advanced and safe Kyrgyzstan;

c) readiness to provide support and commitment of civil society to initiatives related to ensuring cybersecurity and technical neutrality of the Kyrgyz Republic when implementing large-scale digital transformation projects;

d) increasing the number of specialists in the field of information technology.

35. Along with the positive preconditions in the process of implementing the Strategy, government bodies may face the following risks:

– deviation from the established directions of activity for the implementation of the Strategy;

– lack of understanding of the significance of the ongoing reforms and, accordingly, delay in the adoption of individual initiatives and decisions, and possibly their deliberate blocking;

– insufficient literacy of government civil servants in the field of information and communication technologies, heads of government agencies in matters of cyber protection and cyber security;

– shortage of professional personnel with high-quality knowledge and experience in the field of information and communication technologies;

– activities of destructive individuals and organizations aimed at exerting a disruptive influence on decisions made;

– limited or untimely financing of projects related to the implementation of the Strategy;

– transnational and cross-border nature of telecommunication networks and their international connectivity.

VII. Monitoring the implementation of the Strategy

36. Monitoring and evaluation of the process of implementation of the Strategy will be carried out annually, no later than December 20 following the reporting year, with a discussion of their results at the level of the Government Office of the Kyrgyz Republic, based on the results of which a report will be submitted to the Prime Minister of the Kyrgyz Republic. This will allow us to proactively eliminate possible deviations from the goals and objectives of the Strategy and make the necessary adjustments to the Action Plan.

37. Currently, according to the global cybersecurity index published by the United Nations International Telecommunication Union, the Kyrgyz Republic ranks 111th in the world. With the implementation of all points of the Strategy Action Plan, an increase of 28 positions is predicted.

According to the national cybersecurity index published by the Estonian Academy of Electronic Governance, Kyrgyzstan ranks 104th. By 2023, an increase of 18 positions is planned.

In the ranking of the Information and Communication Technologies Development Index, the Kyrgyz Republic is located in 109th place (index published by the International Telecommunication Union of the United Nations). This rating predicts an increase of 17 positions with the implementation of all planned activities of the Strategy.

VIII. Financial and other resources for the implementation of the Strategy

Advertisement 2023″, as well as funds from other sources that do not contradict the legislation of the Kyrgyz Republic, including financial resources allocated by international partner organizations.