Romanian cybersecurity strategy (2022-2027)
December 2021
Strategies and Action Plans
Please note that this is not an official translation; the strategy was translated using Google Translate. For the original Romanian version, please consult the following link.
Based on a vision that takes into account the accumulated experience and the results obtained from the implementation of Romania’s Cyber Security Strategy and the National Action Plan for the implementation of the National Cyber Security System from 2013, the new document aims to establish the main guidelines and of general approaches regarding the field of cybersecurity. The new Strategy will promote an updated vision that will help the whole society: public administration authorities and institutions and private entities, the academic environment, citizens. The implementation and application of the provisions of the Strategy by all relevant actors will, on the one hand, support the fulfilment of the national security objectives and the commitments undertaken by Romania at NATO and EU level, and on the other hand, it will create the necessary premises for the development of the business environment, the national economy and the area educational and research.
The new Strategy is part of the efforts undertaken at the national level in order to implement a coherent security framework on all dimensions of economic and social life, meaning that this document ensures complementarity with documents of a strategic nature assumed until now.
Contents
Toggle1. Introduction
1.1. Summary
The rapid evolution of the technological field and the dynamics of cyber threats are determining conditions for the permanent updating and development of the normative and institutional framework for managing cyber threats and ensuring cybersecurity.
Romania is present on the map of the targets of cyber attacks, constantly facing both complex attacks, which aim to obtain strategic advantages or financial benefits, with potentially major impacts on national security, society and the economy, as well as attacks “classic”, which use common malware and exploit widespread and known vulnerabilities, and which, although they have little potential to harm national security, affect the economy and society.
A major impact on the developments in the approach to cybersecurity at the national level is also generated by the efforts at the UN, NATO and EU levels, where the protection of cyberspace is a priority.
Continuing the normative approach initiated by the Cyber Security Strategy of Romania from 2013, the Cyber Security Strategy of Romania 2.0 will represent the basic document for planning the actions subsumed under the cybersecurity of Romania, in accordance with the strategic documents assumed until now, especially National Strategy for the Defense of the Country.
In this sense, the Cyber Security Strategy of Romania, for the period 2022-2027, as well as the Action Plan for the implementation of the Cyber Security Strategy of Romania, for the period 2022-2027, identify 5 objectives of national importance whose joint implementation, through proper coordination and cooperation between public administration authorities and institutions with responsibilities in the field, the private sector, the academic environment and citizens, is intended to strengthen both national cybersecurity and Romania’s role in the regional, European and international level and to develop a performing digital ecosystem.
At the international level, the following can be mentioned:
1. the EU’s efforts to implement the provisions of the new EU Cybersecurity Strategy for the digital decade, the EU Directive on measures to ensure a common high level of network and information security and the Cybersecurity Act, as well as the recent initiatives to review to them;
2. the NATO approach that declared cyberspace as an operational space, encouraged member states to develop their defense and deterrence capabilities, and took steps to review cyber defense policy;
3. the steps at the UN level regarding the definition and adaptation of the normative framework related to the responsible behaviour of states in cyberspace.
The 5 objectives of strategic importance for 2022-2027 in the field of cybersecurity are:
1. Secure and resilient IT networks and systems
2. Strengthened regulatory and institutional framework
3. Pragmatic public-private partnership
4. Resilience through proactive approach and deterrence
5. Romania – relevant actor in the international cooperation architecture The concrete measures that must be taken to achieve the objectives are included in the Action Plan for the implementation of Romania’s Cyber Security Strategy, for the period 2022-2027 and represent a joint responsibility of all the actors involved.
1.2. Background and importance of cybersecurity
The continuous development of information and communication technologies and the increasingly high level of interconnectivity and interoperability between systems contribute significantly to changing the perception of risks, vulnerabilities and threats from cyberspace.
Cyber attacks are constantly evolving, both in terms of the number and complexity of the specific methods used. They target a large number and variety of networks and IT systems, from those serving individuals, public administration authorities and institutions or private entities, to those serving entities whose activity falls within the national security equation.
At the same time, cyber-attacks, especially on essential services or critical infrastructures, may, due to the interconnectivity, have an impact on the services provided at a regional or international level, with regional or international destabilizing effects, economic and social, and with potential repercussions for peace and stability.
A safe cyberspace is the responsibility of both the state, through the competent authorities, and the private sector and civil society. Consolidating partnerships between public administration authorities and institutions and civil society, respectively the private environment, as well as those between states and international organizations is an essential point to be achieved in achieving a global, open and secure cyberspace.
The accelerated development of technologies and the lack of standards and regulations that require manufacturers to implement the concept of their integrated security translate into a precarious level of cyber security and an increased interest of cyber attackers. The cybersecurity of technologies has thus become an aspect of strategic importance.
At the same time, new technologies and the rapid implementation of increased interconnectivity in essential areas offer real opportunities for economic growth and social development in Romania, generating the evolution of cybersecurity as a business field. Emerging technologies, such as the internet of things, Artificial Intelligence, Machine Learning and band communication technologies (5G and future generations) can be opportunities to launch investments in the context of the development of the industry 4.0 process, medical technology and mobility 4.0, as well as the increase of economic competitiveness, both nationally and internationally.
Also, hosting the European Industrial, Technological and Research Competence Center in cybersecurity in Bucharest will play an important role in connecting the relevant actors from the public level with those from research and industry. The Center will roll out future EU investments in the field of cybersecurity, with the support of a network of National Coordination Centers, which will be created or subsequently selected by each Member State. Moreover, it will be a catalyst for innovation, research and collaboration in the field of cybersecurity and will contribute decisively to the development of the ecosystem in the field, both at European and national level.
1.3. Cyber threats to Romania
In order to be able to establish adequate cybersecurity objectives and measures and to increase resilience in relation to the cyber threat, it is important to know and understand the threat at the level of all actors involved, be they public administration authorities and institutions, private entities or civil society. At the national level, the cyber threat is currently on an upward trend, the main challenge to cybersecurity being represented by cyber-attacks carried out mainly by three categories of attackers:
● persons and entities associated with state actors;
● individuals and groups carrying out cybercrime activities;
● persons and groups of hackers with ideological, political or extremist-terrorist motivation.
Cyber attackers have different technological capabilities and resources used to launch attacks with different motivations.
Another challenge to cybersecurity is represented by the exploitation of some networks and computer systems on the territory of Romania for their use in cyber attacks directed against entities from other states. Thus, the attackers use infrastructure elements from the territory of Romania, especially for the creation of command and control servers or for the creation of intermediate points within the attack infrastructure, which allow them to better anonymize hostile activities.
Entities associated with state actors
The cyber threat generated by entities associated with state actors represents the most important form of threat to Romania’s cybersecurity and has a high impact on national security. The targeted targets are networks and IT systems with critical valences for national security, especially in the diplomatic, military, economic and social fields.
Cyber attacks carried out by state actors are usually of the Advanced Persistent Threat (APT) type. They have a high technological level, both in terms of operating mode and in terms of the malware applications used, constantly updated in order to evade detection mechanisms and maintain persistence for a long period of time. The cyber tools used by attackers are diverse, adapted to their operational goals.
As far as Romania is concerned, cyber-attacks carried out by entities associated with state actors targeted networks and IT systems of some public administration authorities and institutions, the main objective being the exfiltration of strategic information from areas of interest. Given that such an attack is most likely behind an entity hostile to Romania, the exfiltration of such information could have major implications for national security, the effects being multiplied exponentially in terms of operational, strategic and image within a range of time cannot be determined.
The motivation for cyber attacks carried out by entities associated with state actors is a strategic one, they aim to take over and keep under control the networks and IT systems attacked with the aim of:
1. exfiltrate or attempt to exfiltrate information of interest, with strategic valences (cyber espionage)’,
2. disrupt or even interrupt the functionality of critical infrastructures such as industrial facilities or in the field of public services of strategic importance (cyber sabotage)’
3. influence socio-political processes to generate imbalances at the level of society.
Cybercrime groups
The threat generated by cyber-attacks carried out by cybercrime groups has experienced a particular magnitude in recent years, a fact generated both by the increase in the number and complexity of attacks and by the diversification of the targeted targets.
The motivation of these attacks is, as a rule, a financial one, the objective of cybercrime groups being represented by obtaining financial benefits or information that will ensure them financial gains in the future.
Regarding the activity of cybercrime groups, two categories can be distinguished:
1. Cyber-enabled crime – activities that involve the use of cyberspace to achieve objectives;
2. Cyber-dependent crimes – activities carried out exclusively in space.
Such attacks, on the one hand, generate risks of compromising the data stored on these systems and affecting, at least temporarily, the activity of the respective entities, and on the other hand, they can have a major financial impact both on the level of the targeted entities and on a national level.
The domestic landscape has been dominated in recent years by cyber-attacks with ransomware, info stealer or crypto jacking malware applications, which targeted networks and computer systems belonging to public administration authorities and institutions or private entities. It is also noticeable that the intensification of increasingly complex cyber-attacks, including APT type, is dedicated to the exploitation of IT systems in the financial banking field.
Hacker groups with ideological, political or extremist-terrorist motivation
The attacks carried out by these types of actors, whose motivation is ideological, political or extremist-terrorist, still have a relatively low technological level and target systems with a low level of cyber security.
Exponents of these categories of attackers usually carry out defacement, Distributed Denial of Service (DDoS) and SQL Injection cyber attacks in order to disable or affect the functionality of networks and computer systems. The targeted targets are mainly represented by public administration authorities and institutions, but also by private or academic entities.
The evolution of this threat is a dynamic one, enhanced by the existence of some events on the political and social, national and international scene, which are of interest on the agenda of groups and unpredictable in the event that such attackers gain access to high technological capabilities to be able to exploit possible vulnerabilities of some networks and IT systems of interest for national security.
1.4. Cyber Threat Enhancing Factors
The development of cyber attacks against networks and computer systems is enhanced by factors such as:
1. the existence of technological, procedural and human vulnerabilities manifested at the level of the targeted networks and IT systems
The success of some cyber attacks is also ensured by the exploitation of vulnerabilities that have not been fixed. Vulnerabilities are often known, and manufacturers and cybersecurity firms publish warnings about them, as well as remedial solutions, but against the backdrop of a low level of user cybersecurity culture and poor administrator training, attackers continue to achieve their goals by exploiting them.
Also, the poor implementation of some cybersecurity policies, as well as the continued use of some networks and computer systems with old versions of software, which can no longer be updated or optimized from the point of view of cybersecurity, create new opportunities for exploitation for potential cyber attackers.
2. availability and accessibility of hacking resources
Currently, tools and knowledge needed to carry out cyber attacks can be easily obtained from the online environment (specialist platforms, cybercrime forums. Given the low cost and easy access, these resources can benefit even people with minimal technical knowledge, generating, on the one hand, a quantitative and qualitative increase in attacks, and, on the other hand, increasing the difficulty with which actions in cyberspace can be attributed.
3. the low level of cybersecurity and cyber hygiene culture
The resilience of networks and IT systems and an organization’s ability to prevent and counter cyber attacks is highly dependent on cyber threat awareness. Likewise, good cyber hygiene and an adequate cybersecurity culture possessed by users can be proportionally transposed at the level of institutions, organizations or companies.
4. insufficient training and specialization in the field of cybersecurity of employees and managers
In the context of emerging technologies and their rapid evolution, it is difficult to consolidate an adequate level of training to ensure cybersecurity in public administration authorities and institutions and private entities. The element of novelty characteristic of cyberspace and the field of cybersecurity generates a constant need for personnel training. The managerial level must also benefit from this training, for a good understanding of cybersecurity risks, of the impact that cyber attacks can have in relation to the activity carried out, but also of the measures that must be applied to avoid the occurrence of such cyber events.
5. normative and procedural deficiencies
Considering all the challenges in the field of cybersecurity, the normative and procedural framework must support the responsible authorities in preventing, countering, investigating and mitigating the risks generated by conducting cyber attacks against networks and information systems. At the same time, the normative and procedural framework in the field must ensure an organized and efficient environment, both through a comprehensive approach at the governmental level and through a multi-sectoral approach.
The regulatory framework must respect Romania’s obligations under international law and provide the necessary tools for a high level of cybersecurity and adequate and coherent representation at the international level.
6. expanding the range of devices
The implementation of interconnection solutions and the development of the internet of things, both at the industrial level and at the level of the entire society, lead to the increase and diversification of the impact of cyber attacks, which can consist of physical damage or damage to the health or life of citizens.
Therefore, at the present time, not only the damage produced in cyberspace, caused by inadequate cybersecurity of one’s own systems, but also those caused by threats to interconnected systems, which are fundamental to society, must be taken into account.
7. lack of regulatory framework and supply chain cyber risk management policiesSupply chain cyber risk management must be a national priority and addressed throughout the life cycle of products and services, starting with the design phase and continuing through development, delivery, operation, maintenance and decommissioning.
2. The vision for 2022-2027
Romania has the ability to detect cyber attacks on networks and IT systems on the national territory and to reduce their effects. The vision of the Cyber Security Strategy of Romania, for the period 2022-2027, as well as the Action Plan for the implementation of the Cyber Security Strategy of Romania, for the period 2022-2027 is that, in the face of an increasingly complex cyber threat, Romania to develop and strengthen its prevention, deterrence and response capabilities, as well as resilience, including through a proactive approach, appropriate to the international cooperation framework field.
The combined actions of the actors involved must aim at:
– prevention and deterrence – the permanent development of capabilities to detect, investigate, combat and attribute cyber-attacks;
– defense and countermeasures – the development and implementation of effective defense capabilities and proactive mechanisms to respond to current and emerging cyber-attacks;
– development and consolidation – increasing the level of cybersecurity and resilience through:
1. prioritization of investments in the field of cybersecurity;
2. development of educational programs;
3. strengthening the cybersecurity culture;
4. development of research and innovation in the field;
5. defining and promoting a national cyber resilience model;
6. cooperation at national, European and international level.
The philosophy of protection in cyberspace is not limited to reactive procedures and measures, which are a necessary but not sufficient condition to deal with developments in the field of cyber threats. The new vision must also consider proactive approaches, which allow the detection of the threat before it reaches the networks and IT systems in Romania and the development of appropriate response mechanisms in accordance with international law. The approach is found in the current strategies of several partner states and provides a much broader framework for action to help prevent and deter cyber threats and ensure cybersecurity.
3. Principles
In order to ensure Romania’s cybersecurity, the following principles must be respected:
1. Cyber security, an integral part of the extended national security, is the responsibility of all actors involved: public administration authorities and institutions, private entities and citizens
Cyber attacks target Romania’s networks and computer systems, including those that impact national security. Considering the interconnection and interdependence between them, as well as the fact that they are the responsibility of both public administration authorities and institutions, as well as private entities, cybersecurity can only be ensured through cooperation and dialogue.
Cybersecurity risk management must become an integral part of the organizational specifics of each entity, whether public or private. The timely sharing of information on cybersecurity risks, threats, vulnerabilities or solutions, both at the inter-institutional level and within the public-private partnership, is a key element of the coherent strengthening of the resilience of national IT networks and systems.
Government authorities with cybersecurity responsibilities have, among other things, the role of:
– inform the public environment, the private environment and civil society about the importance of cybersecurity, the need for the responsible use of new technologies or digital services and the obligations of Romania through the application of existing international law in cyberspace;
– coordinate the provision of cybersecurity at the national level, by creating the necessary preconditions and facilitating cooperation in this regard.
All entities, public or private, are responsible for ensuring the cybersecurity of the networks and IT systems they own, maintaining the normal operation of the services they offer and incorporating a high level of cybersecurity for the products they design and market. Last but not least, citizens, as end users, must have an individual civic responsibility to ensure cybersecurity, in the sense of applying hygiene in cyberspace, by promoting responsible behaviour in the use of technologies, networks and information systems.
2. Cyber security supports the functioning of the state and society, increasing the competitiveness of the national economy, developing national research-development and innovation capabilities
In recent years, the field of information and communication technology has an increasingly consistent cybersecurity component. Research, innovation and development initiatives in the field of cybersecurity must be supported, which can constitute opportunities to increase the competitiveness of the national economy and to recover some economic gaps compared to other states, to create and maintain in Romania a highly specialized human resource in the field of cybersecurity, as well as increasing national research-development and innovation capabilities.
It will aim to ensure coherence between these initiatives and efforts to strengthen cyber resilience through effective coordination of policies in the field.
3. Cybersecurity is based on establishing an appropriate regulatory framework
The constant updating and adaptation of the normative and procedural framework is necessary to fulfil the objectives of cybersecurity, considering the permanent evolution of technology and regulations in the matter, from an international level.
The development of the normative framework will be based on the European acquis and taking into account Romania’s obligations under international law, including human rights and freedoms.
4. Cybersecurity is strengthened through pragmatic cooperation at the international levelCyberspace is not limited by borders, so cybersecurity must be thought of and ensured at an international level. in this sense, the achievement of national, European and international objectives requires the cooperation of all actors involved.
The normative framework at the international level provides a set of norms, rules, principles and obligations of international law, which establish the limits of responsible state behaviour in international relations.
Romania must continue to play an active and relevant role in major international structures and initiatives related to actions in the digital and cybersecurity fields and strengthen its position as a center of excellence and a relevant actor for European and international cybersecurity.
5. In ensuring cybersecurity, the maintenance of an open, free, stable and safe cyberspace is guaranteed, with the full application of human rights and fundamental freedoms and the rule of law, as well as the protection of individual liberties and personal data.
Ensuring cybersecurity requires the application in cyberspace of the same norms and values as in physical space and must be based on respecting, promoting and protecting the exercise of human rights and fundamental freedoms, especially in terms of freedom of opinion, freedom of expression, the right to access and receive information, as well as the protection of personal data and the right to privacy, both online and offline.
Romania’s efforts in the field of ensuring and managing cybersecurity will be defined in accordance with the obligations arising from the application in cyberspace of existing international law, including the UN Charter and international humanitarian law and related norms regarding responsible behaviour at the state level in cyberspace debates at the UN level to maintain an open, secure, stable and accessible cyberspace and information and communication technology.
At the same time, particular attention will be paid by Romania to EU-level debates regarding “digital environment and human rights” and “artificial intelligence and human rights”.
4. The objectives of Romania’s Cyber Security Strategy 2.0
4.1. Secure and resilient IT networks and systems
For Romania, the cybersecurity of networks and IT systems is a priority, especially for those in fields related to essential services, as well as those with critical values for national security. Maintaining optimal parameters of availability, continuity and integrity and ensuring their resilience contributes to supporting all areas of economic and social life in optimal conditions.
Public administration authorities and institutions and private entities must implement and operationalize appropriate cybersecurity policies. This desire also includes the realization of investments in the technological field and the allocation of human resources with specialized training. At the same time, it is necessary to impose and observe a set of quality standards for the products and services used within these networks and systems.
Measures:
4.1.1. Implementation of cybersecurity policies and measures
To be able to have secure networks and IT systems, it is desirable to create and correctly implement, by the entire staff of an entity, a minimum set of cybersecurity policies and measures. They must be adaptable and permanently correlated with the level of the cyber threat and with the rapid development trend of technologies.
Also, these policies must be accompanied by the implementation of recovery plans in the event of a cyberattack and technical and organizational measures, designed to contribute to increasing both the ability to react to cybersecurity attacks and incidents, as well as the resilience of infrastructures.
In addition, it is necessary that each operator of networks and systems with an impact on national security, including those designated by the legislation transposing the NIS Directives, develop procedures for testing and periodically auditing the level of cybersecurity as an integral part of the process of risk assessment, and to permanently update the hardware and software technologies used within the infrastructures.
At the same time, public administration authorities and institutions responsible for ensuring cybersecurity must encourage and support the implementation of cybersecurity policies and measures by creating a unitary working framework and providing the necessary training and coagulation of a community of experts in the field.
4.1.2. Developing national capabilities to detect, investigate and counter cyber attacks
In order to have secure and resilient networks and IT systems, it is necessary to constantly develop and adapt detection and investigation capabilities. This must be done in line with both technological developments and changes in the cybersecurity environment, through cooperation between public administration authorities and institutions and private entities.
Knowledge gained from ongoing investigations is an important element in countering and subsequently attributing cyber attacks.
4.1.3. Effective allocation of financial, technological and human resources
Considering the diversity of the fields in which networks and information systems are found and the interconnection between them, it is important to promote and raise awareness among operators, authorities, public administration institutions, and private entities of the need to invest in technologies.
These investments must be supported by efforts to specialize staff in the field, who should be trained to:
● understands the threat from cyberspace;
● knows the developments in the technological field;
● acquire the necessary knowledge for an appropriate reaction in the event of a cyberattack or cybersecurity incident.
A permanent cooperation between authorities and public administration institutions with responsibilities in the field of cybersecurity, as well as between them and the business environment and industry is desirable in the sense of sharing knowledge, for example through the development of best practice guides, recommendations on areas of activity, identification the best solutions to ensure the protection of networks and IT systems, as well as the efficient and complementary allocation of resources.
4.1.4. Strengthening the cybersecurity incident reporting mechanism
A centralized cybersecurity incident management system provides the big picture of the cyber threat to an infrastructure, a business domain, and even national security. At the same time, an effective reporting mechanism contributes to ensuring a concrete response to threats from cyberspace.
It is necessary to develop a set of measures and mechanisms for reporting incidents, especially at the level of entities that operate networks and IT systems in fields related to essential services or with critical valences for national security. Operators must understand and assume their de facto role and duties and optimize the flow under the cybersecurity incident reporting mechanism, in accordance with EU recommendations and regulations and national legislation.
4.1.5. Creating certification, compliance and standardization mechanisms in the field of cybersecurity
The quality and level of cybersecurity of the hardware and software products used are particularly important for maintaining secure and resilient networks and IT systems in the face of cyber threats and must prevail over restrictive budgetary aspects.
In this sense, it is necessary to create mechanisms at the national level for certification, compliance and standardization in the field of cybersecurity, which take into account a strict set of criteria (technical, non-technical, including by reference to aspects related to national security ) and which allow the identification of cybersecurity risks and vulnerabilities existing at the level of hardware and software products.
It is also necessary to create the normative framework and the necessary mechanisms so that the “security by design” principle is respected within programs and projects, considering that products and capabilities are designed to meet cybersecurity standards
4.1.6. Securing the supply chain
The security of the supply chain must be kept in mind by implementing cybersecurity mechanisms on all components of this ecosystem. It is necessary to define trust criteria for hardware, software and service providers, especially for systems related to national security.
4.2. Consolidated regulatory and institutional framework
In order to reduce the risks generated by cyber-attacks and strengthen Romania’s cybersecurity level, it is essential to develop and streamline forms of cooperation between all relevant stakeholders in the field at the strategic, tactical, and operational levels. in addition, it is important to optimize the relationship and the exchange of information between the public and the private environment in order to ensure a common awareness of the situation.
The general framework of cooperation, represented by the National Cyber Security System, hereinafter referred to as SNSC, through the Cyber Security Operative Council (COSC), had the role of raising awareness and crystallizing at the level of public administration authorities and institutions and society that a condition sine qua non in addressing the elements of knowledge, prevention, deterrence and response to cyber threats to Romania is represented by consolidated cooperation at the level of all national actors.
The activities in the field of cybersecurity at the SNSC level demonstrated the usefulness and viability of this cooperation mechanism at a strategic level, but revealed the need for a strengthening of the role of the COSC and for flexible and effective tactical-operational approaches at the national level by creating an entity to ensure the architecture necessary cooperation.
Measures:4.2.1. Consolidation of the normative framework
One of the main elements that condition the fulfilment of cybersecurity objectives is represented by the provision of a regulatory framework permanently adapted to technological developments and harmonized with the relevant regulations at the international level. In this sense, the aim will be to modernize the current legislative framework and ensure cooperation procedures and mechanisms at the national level.
It is necessary to adopt the Law on Security and Cyber Defense, which establishes: the necessary framework for the organization and conduct of activities in the fields of security and cyber defense, the cooperation mechanisms and the responsibilities of the public administration authorities and institutions with attributions in the mentioned fields, as well as other relevant aspects.
The development of policies, strategies, and action plans related to cybersecurity and their implementation will be carried out in a manner compatible with international norms of responsible behaviour in cyberspace, with respect to international law and with the minimization of the possible negative impact on the activity of civil society.
Where appropriate, legislation should provide for mechanisms to ensure transparency, hold perpetrators of abuses accountable and compensate victims of abuses.
4.2.2. Strengthening the institutional framework
Strengthening the role of COSC
The Cyber Security Operative Council (COSC) remains the inter-institutional cooperation mechanism, which unitarily coordinates, at the operational level, the activities of the SNSC. The activities, composition and responsibilities of the COSC must be set out in the Cyber Security and Defense Act.
Since its inception, COSC has played a key role in supporting cybersecurity initiatives that have a national and international impact. The COSC must remain in the format in which priorities are constantly updated, depending on the results obtained previously, and decisions are adopted that are subsequently translated into concrete measures at the procedural, operational, tactical and strategic levels.
Following the analysis and assessment of the state of cybersecurity at the national level, the COSC must adopt decisions, translated into proposals submitted to the Supreme Council of National Defense (CSAT), regarding national cyber alert levels, plans and directions for action, development and investments, as well as mandate lines relating to foreign policy decisions and documents in the field of cybersecurity.
In this sense, for optimal coordination between the adopted decisions and the identified measures and an impetus to their implementation, it is necessary that the activity of the COSC be organized according to a predetermined calendar.
Strengthening the role of the National Cyber Security Directorate
In the current context, it was necessary to establish a new institution, that of the National Cyber Security Directorate (DNSC), according to the Government’s Emergency Ordinance no. 104/2021 on the establishment of the National Directorate of Cyber Security, which took over the duties of CERT-RO and which can dynamically face the challenges in the field of cybersecurity through efficient, flexible and proactive mechanisms, procedures and capabilities.
In the ongoing activity, DNSC aims to achieve the following major objectives:
● ensuring the security, confidentiality, integrity, availability, and resilience of the elements of the national civil cyberspace, in cooperation with the institutions that have competencies and attributions in the field;
● ensuring the framework of strategies, policies and regulations that support the implementation of the national vision in the field of cybersecurity;
● the creation of the national cooperation framework between public, private, education and research institutions, to ensure a realistic, common and coherent vision and approach regarding Romania’s cybersecurity;
● the creation and operation of a national collaboration platform that allows the exchange of information between constituents, state institutions, the academic environment and the private environment in the field of incidents, vulnerabilities and crises of a cyber nature;
● the creation of the national certification framework in the field of cybersecurity, in cooperation with the institutions that have competencies and attributions in the field;
● the creation of the national training framework in the field of cybersecurity, in cooperation with the institutions that have competencies and attributions in the field;
● international promotion and support of the national strategy in the field of cybersecurity;
● creation of the national framework for the evaluation of new technologies and their impact on Romania’s cybersecurity;
● developing the ability to attract financing funds for the achievement of institutional objectives;
● the development and coordination of the cybersecurity crisis management plan at the national level, in cooperation with the institutions that have powers and duties in the field of crisis management, as well as in collaboration with the other permanent members of the COSC.
Also, DNSC represents an interface of COSC member institutions for cooperation with civil society and the private and academic environment, constituting the optimal framework to create and develop effective partnerships in the field of cybersecurity.
4.3. Pragmatic public-private partnership
A pragmatic public-private partnership between public administration authorities and institutions, private entities, the academic and research environment and citizens is a necessity given that cyber-attacks target a large number and a wide spectrum of networks and computer systems.
In order to be able to prevent the materialization of cyber attacks, it is important that the topic of cybersecurity is brought to the attention of the entire society, by running public awareness programs, increasing the level of cybersecurity culture and promoting hygiene measures in cyberspace.
Also, an element of common interest is the development and implementation of educational programs and training formats in the field of cybersecurity. All these measures generate major economic-social benefits: the existence of qualified and even highly specialized human resources capable of responding to the challenges of the cybersecurity environment, increasing the contribution of the information and communication technology and cybersecurity industry to the national GDP.
Measures:4.3.1. Running public awareness programs and raising the level of cybersecurity culture
It is important to create programs to increase the level of cybersecurity culture both at the level of public and private entities, through specialized campaigns carried out by authorities and public administration institutions with responsibilities, and at the level of the general public, in the form of information campaigns through programs media, brochures, dedicated websites, cyber hygiene guides.
It is also important to introduce some basic notions of hygiene in cyberspace from the primary education cycle and to develop educational programs in the field of cybersecurity.
The subject of cybersecurity must be brought to the attention of as many users as possible from all areas of activity (public administration authorities and institutions, private entities, the academic and research environment, and citizens). In order to increase the level of cybersecurity culture, a series of public events and debates will continue to be organized in a public-private partnership.
4.3.2. Development of educational programs in the field of cybersecurity
Public administration authorities and institutions, the private and academic environment must work together to support, develop and finance pre-university, university and postgraduate study programs in the field of cybersecurity, aimed at ensuring the creation of a critical mass of specialists in this field.
Significant steps have already been taken in the postgraduate area, and these must be supported and continued by:
– continuous development, through adaptation and connection to developments in the field, of the training programs, including in the preliminary stages – undergraduate and pre-university studies;
– the training and training of teaching staff and the consolidation of the material base, by accessing external funding and by maximizing cooperation with the private sector.
4.3.3. Running professional training programs for those who carry out activities in the field of cybersecurity
It is necessary to develop training programs for those who carry out activities in the field of cybersecurity, in the sense of: strengthening the level of technical expertise, in relation to the evolution of the threat and in accordance with technological development and the development of an effective professional behaviour in preventing, countering and reacting to cyber attacks and cybersecurity incidents.
In the cybersecurity training center, the ongoing training programs for cybersecurity specialists will be continued, especially the administrators responsible for the security of networks and IT systems, whose damage can have a negative impact on national security. The Center also provides the appropriate framework for trainer training programs, thus ensuring the necessary knowledge transfer.
4.3.4. Developing and strengthening cybersecurity research and innovation
The implementation of new technologies requires the encouragement of research, innovation and development in the field of cybersecurity in order to benefit from the expertise and human resources capable of facing the new challenges that may arise.
Through the expertise and resources held, the private sector can contribute decisively to increasing the level of cybersecurity at the level of Romania, by working with specialists from the public and academic environment within joint initiatives or mixed platforms for research and innovation in the field of cybersecurity.
Consideration will also be given to supporting the research and innovation community to network at the European level and participate in research programmes, including by supporting the activities of the European Cybersecurity Industrial, Technological and Research Competence Centre.
At the same time, considering that the field of cybersecurity is one of major interest for the international organizations of which Romania is a part, it is important both to increase the degree of allocation of resources from the GDP to this field, as well as the absorption of funding for the development and consolidation of research and innovation in the field of cybersecurity.
4.3.5. Development of the national cybersecurity industry
A prolific and innovative cybersecurity industry is a necessity for the normal development of the national economy in a future increasingly marked by digitization and rapid technological developments.
Public administration authorities and institutions must stimulate and support the efforts of the business environment and the academic area to develop business incubators and new companies – start-ups – in the field of cybersecurity.
In support of a pragmatic and successful public-private partnership, it is important to grant the necessary fiscal facilities to boost the field. Mechanisms for motivating, retaining and attracting cybersecurity specialists to the country must also be defined and assumed at the national level, which will determine the sustainable development of this field.
4.4. Resilience through proactive approach and deterrence
In the face of cyber threats, Romania must:
– to be prepared to implement all necessary proactive measures, which aim to ensure the resilience of IT networks and systems;
– have capabilities and mechanisms to deter cyber attacks that affect society or national security interests.
Measures:
4.4.1. Development of sectoral CERTs and SOCs*1)
*1) Without limiting ourselves to these
The creation of independent structures, such as CERT and SOC, in areas related to essential services, will have an important role for a better knowledge of both the threat and the vulnerabilities and deficiencies in a certain area and will be able to generate appropriate measures, whose implementation ensures the resilience of IT networks and systems.
At the same time, such entities will represent a cyber expertise center for a specific field and will play an important role by:
– creation of uniform rules and procedures in the field of cybersecurity for all operators of networks and IT systems in a certain field;
– transfer of expertise and best practices between network operators and IT systems associated with the same field.
The approach of establishing CERTs and sectoral SOCs can represent both a national initiative but can also be put into practice in the private sector. At the same time, the initiative to establish such structures can be the subject of projects with European funding.
4.4.2. Carrying out exercises with high practical applicability
Cybersecurity exercises of this type have a proactive role in ensuring resilience, representing the framework in which: resilience and response capabilities, rapid intervention mechanisms, cooperation procedures in case of cyber attacks or cybersecurity incidents can be tested and improved.
In continuation of the steps started at the national level, public administration authorities and institutions with responsibilities in the field of cybersecurity are encouraged to organize and coordinate, in cooperation with the private and academic environment, national and international cybersecurity and incident response exercises.
4.4.3. Developing proactive, reactive and deterrence capabilities
In order to ensure the security and cyber defence of Romania, it is important to develop both proactive capabilities, which allow anticipatory knowledge of the threat, as well as offensive response capabilities, individually or as part of a coalition, in case of cyber attacks that contravene international law. in this sense, the allocation of human and technological resources, characterized by flexibility and adaptability, will be pursued, in accordance with the norms applicable at national and international levels regarding the responsible behaviour of states in cyberspace, through the deployment of which the activity of hostile cyber actors will be discouraged national, European and allied interests.
Romania must become a difficult target to attack in cyberspace. This objective can be achieved including through the development of security and deterrence capabilities that determine high costs for attackers.
4.5. Romania – relevant actor in the international cooperation architecture
Given that the cyber threat knows no borders, Romania’s engagement in coordinated and effective actions at the international level will be pursued for:
– addressing and shaping cyberspace developments in order to ensure and promote a global, free, open, stable and secure internet and responsible behaviour of states in cyberspace;
– the development and operationalization of effective cooperation mechanisms at the international level, both within the international bodies and organizations of which our country is a part, as well as in the bilateral dialogue with partner states that have capabilities in the area of cybersecurity.
Romania’s activity within the international bodies and organizations of which it is a part, the active contribution to the promotion and implementation of initiatives and policies in the field of cybersecurity, the consolidation of active participation in the dialogue with strategic partners in the field, in conjunction with the developments recorded in economic, social and technological terms in the field of cybersecurity at the national level, represent potentiating factors for the consolidation of Romania’s role as a relevant actor in the international cooperation architecture in the field of cybersecurity.
Measures:
4.5.1. Consolidation of Romania’s role at the global level
At the global level, Romania will aim to maintain a favourable commitment to promoting the notion of a global, open, stable and safe cyberspace where human rights, fundamental freedoms and the rule of law are fully applied.
In support of this role, Romania will use tools of cyber diplomacy, in particular through:
– engagement in norm-setting processes in organizations with a global vocation, such as the UN, by supporting the promotion and implementation of the framework of the norms of responsible state behaviour in cyberspace, the way of applying international law in cyberspace, the increase of trust between states and their capacity;
– active participation in dialogue and consultations with strategic partners at international level and within international initiatives;
– promoting participation in international consultations and initiatives of several stakeholders and different actors, including the public and private sectors, as well as civil society and academia to address this field at a multisectoral and multidisciplinary level.
4.5.2. Consolidation of Romania’s role at the regional and bilateral level
As a member of the EU and regional organizations (OSCE, NATO, Council of Europe), the aim will be to strengthen Romania’s position as an active actor in this field by promoting measures designed to lead to:
– the development and implementation of the new EU Cyber Security Strategy for the digital decade and support for increased attention to cybersecurity at the level of the EU’s Foreign and Common Security Policy;
– the application and implementation of the measures provided for in the EU Cyber Diplomacy Toolbox;– the operationalization of confidence-building measures between states (“Confidence Building Measures” – CBMs) at the OSCE level;
– further development of NATO’s cyber defense policy, strengthening the resilience of the Alliance as a whole and of allies, deterrence and defense cyber capabilities.
Romania will seek to strengthen its cooperation relations with states with congruent strategic visions and to take advantage of strategic level opportunities that will transform it into a European centre of expertise in the field of cybersecurity, including by supporting the activities of the European Industrial, Technological and Research Competence Center in cybersecurity from Bucharest.
The association of several states and partner organizations in attributing an attack and publicly communicating the source or responsibility of the attack, especially in the case of offensive actions coordinated or sponsored by state actors, has effects in terms of affecting the international reputation of the attacker and discouraging the adversary from continuing this type of attack. actions, in the sense of limiting their offensive behaviour and strengthening collective cybersecurity.
In the context of promoting and implementing the UN framework for responsible state behaviour in cyberspace and the EU Cyber Diplomacy Toolbox, Romania will also aim to promote the principle of “cyber deterrence” by capitalizing on the opportunities offered by the possibility of rallying to public condemnation initiatives in case of attribution of a cyberattack.
4.5.3. Strengthening the role of cyber diplomacy
Romania attaches great importance to activities subsumed under cyber diplomacy. The national interest in cybersecurity can be supported and promoted internationally through proactive cyber diplomacy and positioning the diplomatic network in a coordinated manner that will ensure optimal management of available resources.
The creation of a high-level diplomatic representation position, for cybersecurity, with an active role in coordinating Romania’s international representation efforts, in issues related to aspects at the level of cybersecurity strategies, regulations, standards, conflicts and practices, will be pursued.
The activity will be supported by the competent authorities in the field of cybersecurity to ensure coordination and inter-institutional dialogue in order to ensure adequate representation and a coherent message in Romania’s external action, through effective cyber diplomacy.
It will also aim to strengthen the capacity for action in the field of cybersecurity policies at the level of diplomatic missions of Romania in the capitals of partner states and permanent representations at the level of the EU, NATO and the UN.
4.5.4. Strengthening the capacity to transfer expertise at the regional level
It is important to develop cooperative relations in the field of cybersecurity at the regional level in order to strengthen the level of cybersecurity and achieve the goal of becoming a regional leader in the field.
In this sense, Romania will have an active role by starting projects and initiatives with regional impact dedicated to cybersecurity, through which authorities and institutions of the public administration in Romania with responsibilities in the field of cybersecurity, in partnership with the private and academic environment, ensure transfer of knowledge and expertise in this field to the states in the region in support of the development of cybersecurity strategies, legislation, institutions, research, projects and training programs in the field and regional initiatives in this regard, as well as support in the event of a cyberattack.
Romania will aim to serve as a point of reference for the consolidation in the Eastern and Southeastern European region of the international normative framework and respect for democratic values in the online and offline environment.
5. Concepts, definitions and terms
– Cyber threat – any circumstance, event or potential action that could cause damage or disruption to networks and computer systems, as well as to the users of such systems and other people, or that can have some other negative impact on to them;
– Advanced Persistent Threat (APT) – complex cyberattack, which uses important resources, as well as advanced techniques, tactics and procedures to exfiltrate data of strategic interest and remain unnoticed for a long period of time;
– Cyber attack – hostile action carried out in cyberspace likely to affect cybersecurity;
– Cyber security audit – activity through which a systematic evaluation of all policies, procedures and protection measures implemented at the level of networks and computer systems is carried out, in order to identify dysfunctions and vulnerabilities and to provide solutions to remedy them;
– CERT (Cyber Security Incident Response Team) – a specialized organizational entity that has the necessary capacity to prevent, analyze, identify and react to cyber incidents;
– Cryptojacking – unauthorized use of another device’s resources for virtual currency mining;
– Defacement – attack on a website that consists in the unauthorized replacement of its interface by exploiting some vulnerabilities of the server that hosts it;
– Cyber diplomacy – diplomatic actions carried out in order to promote, support, defend and protect, through international dialogue and cooperation with partner countries and international organizations, a global, open, free, stable and safe cyberspace, in which human rights, fundamental freedoms and the rule of law is fully applied to the social welfare, economic growth, prosperity and integrity of the free and democratic society and which contributes to conflict prevention, mitigating cybersecurity threats and to greater stability in international relations;
– Distributed Denial of Service (DDoS) – attack aimed at the unavailability, blocking or exhaustion of the resources of an IT system, network or its component;
– Hygiene in cyberspace – applying a set of practices and skills in cybersecurity, necessary for the safe conduct of daily activities undertaken by users;
– Cybersecurity incident – an event occurring in cyberspace that disrupts the operation of one or more computer networks and systems and whose consequences are likely to affect cybersecurity;
– Infostealer – malware application used to steal information (most often authentication credentials) from a compromised computer system;
– Malware – software designed to damage or infiltrate a computer or computer network, without the consent or knowledge of the owner, to fulfil illegitimate purposes;
– Cyber security policies – general principles and rules that must be met to ensure the security of networks and IT systems;
– Ransomware – a form of illegitimate software that restricts access and use of the device until a reward is paid;
– Computer networks and systems – information and communication technology infrastructures, consisting of equipment, applications and digital communication networks
;– Resilience in cyberspace – the ability of a network or computer system to withstand a cyber incident or attack and to return to normality
;– Cyber security risk – the probability that a threat will materialize, exploiting a specific vulnerability of networks and IT systems;
– Cybersecurity – state of normality resulting from the application of a set of proactive and reactive measures that ensure the confidentiality, integrity, availability, authenticity and non-repudiation of information in electronic format of public or private resources and services in cyberspace;
– SOC (Security Operational Center) – team of cybersecurity experts, whose role is to monitor, analyze and respond to cybersecurity incidents;
– SQL (Structured Query Language) injection – technique used by cyber attackers, which aims to exploit the vulnerabilities of a website and insert an SQL-type script;
– Vulnerability in cyberspace – weakness in the design and implementation of networks and IT systems or related security measures that can be exploited by a threat.
This national strategy is implemented through the Action Plan for the implementation of Romania’s Cyber Security Strategy, for the period 2022-2027, provided for in the annex that is an integral part of it.