RITY STRATEGY OF LATVIA 2014 2018 - A 1' I CYBER SECURITY STRATEGY OF LATVIA 2014 2018 CONTENTS 1 Introduction 2 2 Aims and Basic Principles of the Policy 3 3 Overview of Cyber Security in Latvia 4 4 Key Areas of Action 5 4 1 Governance and Resources of Cyber Security 5 National Cyber Security 5 State Owned ICT 7 Critical Infrastructure 8 Human Resources 9 4 2 Rule of Law in cyber space and Reduction of Cyber Crime 10 4 3 Crisis Management 11 4 4 Awareness raising Education and Research 12 4 5 International Cooperation 14 5 Link to Other Development Planning Documents 16 6 Final Remarks l7 7 Acronyms and De nitions of Terms 18 Appendix No 1 Visualisation of National Cyber Security Policy Coordination 21 v 1 INTRODUCTION Latvian state administration society and economy depend on the opportunities and services ensured by information and communication technology hereinafter ICT and ICT determines the existence of information society in Latvia The Sustainable Development Strategy of Latvia de nes the promotion of the further development of a modern and innovative society open for new ideas and the use of high technology as an asset for the economic development and global competitiveness of Latvia l Due to the increasing use of ICT in society state ad- ministration and the economy its illegal use damage paralysis or destruction may cause threats to state and public security public order and economic activity as well as the hindrance of the further development of the national economy It is possible to intentionally and unintentionally disturb or suspend the operation of the network of state information systems and electronic communications as well as to encumber the functions of the political economic and military decision-making mechanisms of the state cause material damages mis- information of society and trigger technogenic failures Insecurity in cyber space may impact the reliability of the use of ICT and thus prevent the development of a Sustainable Development Strategy of Latvia until 2030 2 modern and innovative society During politically so cially or economically sensitive developments major cyber attacks may be directed against Latvia A secure and reliable information society and e-government is not possible in a state without a national competence in cy- ber security and With the increasing trend of society s range and use of services in cyber space the number of cyber attacks and methods in which attacks are carried out is increasing re- spectively 2 To reduce and prevent the risks and threats in cyber space a uni ed and coordinated cyber security policy involving both the public and private sector is required The Cyber Security Strategy of Latvia lays down strategic priorities in developing cyber security policy and an accompanying action plan will be introduced in the rst half of 2014 The Strategy has been developed in line with documents of in- ternational organisations especially the EU and NATO as well as according to the measures speci ed in the National Security Concept and the State Defence Concept 1 Symantec Internet Security Threat Report 2013 about the increase of attacks and vulnerability in the world 7 2 AIMS AND BASIC PRINCIPLES OF THE POLICY The aim of the cyber security policy is a secure and reliable cyber space which ensures a safe reliable and continuous supply of services essential for the state and society In implementing the cyber security policy the following principles are being used development cooperation responsibility and openness Development it is possible to protect against rapidly growing threats in cyber space only by constantly and systematically developing and improving skills in the ICT sector and its security specialisation Cooperation the effective protection against threats in cyber space unrestricted by geographical boundaries of countries or administrative boundaries of institutions is only possible through cooperation at both the national and international level Responsibility it is possible to effectively reduce risks in cyber space only if all parties involved in cyber space including individuals state institutions and private busi- nesses are informed about and aware of the effects of their activity or inactivity on their own security and the secu- rity of others Openness the cyber security policy is to be imple- mented by facilitating the accessibility of information and communication technology while respecting the rights and fundamental freedoms of an individual searching for a balance between freedom privacy and security as well as promoting good practices ethics and standards in cyber space 3 OVERVIEW OF CYBER SECURITY IN LATVIA Modern society uses ICT more extensively by both direct- ly acquiring information and processing it and creating new and widely accessible tools for self-expression Con- venient and diverse mutual communication tools and platforms are being used to receive services A total of 75 8 of the inhabitants of Latvia have used the Internet while 70 3 use the Internet at least once a week' The number of electronic transactions in the biggest banks in Latvia exceeds 90 96 of the total number of transactions 2 and more than 25 96 of state institution services are avail- able electronicallyi Extensive use of ICT has changed the daily routine of society and a virtual environment where physical and dig- ital actions merge has been created The idea that ICT is a matter of interest of just a small group of professionals has been gradually substituted by the understanding that the entire society is to a greater or lesser extent linked with ICT and the range of services provided and supported by ICT will increase in the following years Since ICT is widely used all members of society from ICT users to man- agers decision makers and legislators should have an understanding about the basic principles of the processes and security of cyber space ICT solutions and services have a complicated structure but they are widely accessible It is easy to use cyber space to Central Statistical Bureau Inhabitants using computer Internet at the beginning of the year 2012 2 Latvian Internet Association Study of lntemet Banking in Latvia 2011 3 of Environmental Protection and Regional Development Re- sults of Asessment and Quali cation of all Public Services Provided by the State Summary of all Department Services Version 1 0 2012 4 cause damage to an individual a societal group or a coun- try as a whole Furthermore the use of ICT tools can re- strict the rights and fundamental freedoms of an individual or violate the right to privacy and personal data protection The situation in Latvian cyber space is characterised by a considerable number of security incidents from several incidents of high signi cance to hundreds of in- cidents of low signi cance affecting state and municipal institutions private businesses and individuals According to an overview by CERT LV 4964 high priority incidents and over 200 thousand low priority incidents have been registered in 2013 The trend of politically socially or economically sensitive developments being accompanied by intentionally organised cyber attacks in is increasing Latvia may be subject to an increased risk during its 2015 Presidency of the Council of the EU In order to reduce the number of cases when with the help of ICT damage to society is caused it is important to de- velop a set of comprehensive measures that would protect cyber space and its services The strategy sets ve priority areas of action 1 Governance and Resources of Cyber Security 2 Rule of Lawin cyberspace and reduction onyber Crime 3 Crisis management 4 Awareness raising education and research 5 International cooperation CERT LV Overview 2013 4 KEY AREAS OF ACTION 4 1 GOVERNANCE AND RESOURCES OF CYBER SECURITY ICT solutions and services are developed improved and maintained in both the public and the private sector For the solutions and services to be reliable safe and continu- ous it is necessary to apply information security require- ments standards and good practices throughout their entire life cycle by including risk analysis based security planning and assessing political economic social legal and personal data protection aspects Cyber security policy implementation in Latvia involves a broad comprehensive range of interested parties therefore it is necessary to create an effective cyber security governance model National Cyber Security National cyber security should be viewed in three di- mensions infrastructure services and processes where the provision of information safety is required At the moment cyber security governance is organised in a partially centralised model where the leading insti- tutions according to the respective authority perform the function of handling the strategy methodology and coordination of cyber security whereas supervisors of speci c ICT solutions and services constantly ensure practical implementation and execution of the estab- lished requirements National cyber security is based on mutual cooperation where each state authority performs its functions including in cyber space and cooperates with other involved parties directly or through the Na tional Information Technology Security Council here- inafter Council The Council has been established by the Law on the Security of Information Technolo- gy which determines the development of cyber security policy at a national level According to the Law the Council coordinates the development of cyber security policy and planning and implementation of objectives and measures The Council is the central national au- thority for the exchange of information and cooperation between the public and private sector and its operation is ensured by the National Cyber Security Policy Coordi nation Section of the Ministry of Defence National cyber security policy is developed by Visualisation in Appendix No 1 Ministry of Defence MOD - coordinates develop- ment and implementation of information technology security and protection policy as well as cooperates in the provision of international cooperation The Na- tional Cyber Security Policy Coordination Section of the MOD organises and provides support for the im- plementation of cyber security policy 2 Ministry of Foreign Affairs MFA coordinates inter- national cooperation and Latvia s participation in vari- ous international initiatives related to the cyber security 3 Financial and Capital Market Commission FCMC regulates and supervises activities in cyber space of members of the nancial and capital market cyber space the Bank of Latvia promotes secure and smooth operation of payment systems while credit institutions are responsible for secure availability of electronic services in their sector 4 Ministry of Economics develops economic policy and promotes the development of competitive- ness and innovation 5 Ministry of the Interior M01 State Police SP and Security Police - implement the policies for com- bating crime public order security protection and the protection of rights and legal interests of individuals as well as coordinates the settlement of crisis situations 6 Information Technology Security Incident Re- sponse Institution CERT LV - monitors and analy- ses developments in cyber space reacts to incidents and coordinates their prevention carries out re- search organises educational events and training as well as supervises the implementation of obligations speci ed in the Law on the Security of Information Technology provides support for Latvian and foreign state and municipal institutions entre- preneurs and individuals 7 Ministry of Education and Science pro- motes knowledge and understanding of cyber space and its secure use 8 Ministry of Welfare MOW implements the so- cial policy and the policy for the protection of chil- dren s rights 9 Operation of the Safer Internet Centre of Latvia Net- Safe Latvia is ensured by the Latvian Internet Associ- ation educates society about possible risks and threats online and promotes the use of secure intemet content 10 National Armed Forces NAF and Cyber Defence Unit CDU provide support in crisis situations 11 Non-governmental organisations in the IT sector - provide support consult and cooperate with the Council in developing and implementing the cyber security policy 12 Ministry of Transport organises the imple- mentation of communication policy Existing partners of the Council association Latvia Chap- ter Latvian Open Technology Association Latvian Information and Communication Technology Association Latvian lntemet Association Association of Commercial Banks of Latvia Latvian Chamber of Com- merce and Industry 13 Constitution Protection Bureau CPB oversees the critical infrastructure 14 Ministry of Justice M01 and Data State Inspec- torate DSI develop organise and coordinate the policy on rights in the eld of personal data pro- tection freedom of information and supervision of electronic documents 15 State Joint Stock Company Latvian State Radio and Television Centre - the only provider of reliable certi cation services which ensures the infrastructure of electronic identity cards and elec- tronic signatures 16 Ministry of Environmental Protection and Region- al Development MEPRD organises the gover- nance of state ICT and coordinates the electrisation of public services whereas State Regional Devel- opment Agency SRDA ensures the operation and development of solutions for shared use of state ICT The Law on the Security of Information Technology and related Cabinet regulations determine basic security requirements for state and municipal institutions and providers of public electronic communications services as well as supervisors of the critical infrastructure of ICT In cases of incidents a set of de nite procedures for state and municipal institutions and owners and legal managers of the critical infrastructure are established In the private sector the governance of information securi- ty is based on the sustainability of business and secure and reliable provision of services In some sectors there are laws and regulations which for example apply to credit institu- tions providers of electronic services or personal data pro- tection but good practices and standards for the security of ICT solutions are not widely used The market of electronic communication operators is scattered and a part of service providers do not ful l the requirements speci ed in the leg- islation thus causing security risks to both clients and other users of ICT infrastructure in Latvia and abroad According to the Law on the Security of Information Technology a national Information Technology Security Incident Response Institution CERT LV has been created CERT LV maintains common monitoring of cyber space provides support for Latvian and foreign state and mu- nicipal institutions entrepreneurs and individuals in preventing IT security incidents as well as coordinates the prevention of security incidents As activity in cyber space increases CERT LV together with institutions from the public and private sectors must develop resources which would allow the summarization of technical infor- mation about incidents in cyber space and storage of this information for analysis and evaluation Required actions 1 Improve coordinated development implementation and evaluation of the national cyber security policy within the framework of the National IT Security Council through cooperation of representatives of pub- lic non-governmental and private sectors Strengthen the leading position of the Ministry of Defence in a coordinated development and implementation of the cyber security policy 2 Create an information exchange medium platform by promoting the exchange of information among en- trepreneurs about topical cyber security threats prob- lems solutions good practices and their application 3 Implement the assessment of risks to national cyber security 4 Promote the standards and practices of good security management in the public and private sector by creat- ing understanding about ICT security in the business environment and organising regular training for lead- ing employers 5 Improve the mechanism of implementation and monitoring of security requirements for electronic communication operators 6 Improve the ability of CERT LV to observe analyse and prevent IT security incidents and cooperate with NATO and EU partners on information exchange 7 Develop CERT LV resources and competences to per- form centralised security tests State owned ICT Cyber security at a national level is closely connected to the state ICT governance system which is now partially regulated by the Law on State Information Systems Its fur- ther development has been outlined in the concept of the organisational model of state ICT management The con- cept sets many tasks for the optimisation of state ICT and the improvement of management processes of state ICT Ful lment of necessary tasks would allow reaching a ho- mogenous more shared and professionally and rationally maintained state ICT infrastructure which would attract better motivated human resources with a higher degree of specialisation and higher professional competences thus increasing the overall level of state ICT security The op- timisation of state ICT would inter alia allow focusing of resources for the improvement of the technological security of state ICT solutions for example by creating shared solu- tions for the continuity of operations etc respect to the management of state ICT the concept provides for the development and implementation of standards and guide- lines for the continuity reliability and security of electronic state administrative processes Currently used state ICT solutions and especially state infor- mation systems SIS contain information illegal exposure or acquisition distortion or deletion of which can cause signi cant damage to a speci c person society or state Denying access to SIS or interrupting the operation of sup- port systems can completely or partially paralyse the work of the public administration Therefore it is important that the development introduction and operation of state ICT solutions including security management is carried out in a rational effective transparent and mutually harmonised manner by using best practices of the sector and guidelines to minimise to the occurrence of ICT security threats due to mistakes as well as deliberate actions The Law on State Information Systems provides for a single level of technical and organisational requirements for all registered systems irrespective of their functionality value of the collected information and in uence on the execu- tion of functions of the public administration both within the institution and outside of it The lack of differentiation of requirements causes inadequate pressure on systems of varying signi cance and capacity as well as the willingness to avoid system registration Differentiation of the require- ments and categorisation of the systems would allow the application of more precise and - appropriate legal mea- sures in case of a criminal offence The case study by suggests that one half of the holders of state information systems do not ensure mea- sures for security management as they are not motivated or competent The state ICT security monitoring and control system is insuf cient Required actions 1 Continue the implementation of improved manage- ment measures speci ed in the conceptual organisa- tional model of state ICT management which provides for the development of a uni ed ICT architecture and development or improvement of management process- es standards and guidelines 2 Develop a legal order for a uni ed management of the provision of state ICT that provides for a categorisa- tion of systems based on a risk analysis and appropri- ately differentiated requirement framework for secu- rity management 3 Improve the understanding and knowledge of the holders of ICT solutions and infrastructure by organ- ising training programmes for the managing staff of the state administration and the staff involved in ICT security management 4 Evaluate the ef ciency of the supervision of ICT secu- rity management the responsibility and penalties for not implementing the security management measures as well as to establish minimum requirements for the work of security managers 5 Organise extraordinary audits and security tests of state ICT solutions and infrastructure performed by independent organisations 6 Develop the procedure according to which the institu- tions report to a common competent authority about the implementation of information security measures 7 Improve the cooperation between the Latvian Associ- ation of Local and Regional Governments Municipal- ities and Institutions in order to improve the security management of municipal ICT resources Critical Infrastructure Critical infrastructure of information technology has been established for the performance of basic functions essen- tial for state and society to ensure the integrity accessibi- lity and con dentiality of the critical infrastructure Once a year the Cabinet of Ministers establishes and reviews the information technology infrastructure whose termination can substantially threaten the existence of the state l The critical infrastructure of information technology has been included in the critical infrastructure of the state and its owners and legal managers in cooperation with security institutions and CERT LV consistently improve security measures Planning and implementation of security mea- sures for critical infrastructure is regulated by the Cabinet of Ministers z For the purposes of exchange of knowledge and experience as well as for the improvement of proce- dures representatives of critical infrastructures are regular- ly involved in training organised by CERT LV Required actions 1 Improve the processing of information and experi- ence exchange about incidents protection of the crit- ical infrastructure and prevention of risks among the holders of critical infrastructures CERT LV and state security institutions 2 Organise crisis training and security breach tests at a national regional and international level and in coop- eration with the Cyber Defence Unit of the National Armed Forces NAP 3 Strengthen the security of state ICT resources by developing technical tools for the automatic provi- sion and control of security as well as to improve the capacity knowledge and mutual cooperation of the security staff Cabinet Regulation No 496 of 1 April 2010 Planning and Implemen- tation Procedure of Identi cation and Security Measures for the Critical Infrastructure including the Critical Infrastructure of Europe 2 Cabinet Regulation No 100 of 1 February 2011 Planning and Im- plementation Procedure of the Security Measures for the Critical Infrastructure of Information Technology Human Resources The situation in state and municipal institutions is char- acterised by signi cant differences in human and mate- rial resources from institutions with well-paid and high- ly quali ed employees and modern technical resources to in most cases institutions with employees with inadequate quali cation and low quality information technology This creates an unequal level of ful lment of obligations laid down by the legislation in the area of information security management in the state adminis- tration Furthermore the restricted availability of highly quali ed experts in the labour market does not meet the demand of the private sector and companies are using outsourcing services to carry out their functions The number of ICT security management experts and se- curity technology experts in the Latvian labour market is small The professional standard for ICT security manag- ers and a certi cation procedure for this speciality have not been established and study programmes in comput- ing computer science and information technology do not purposefully train experts for this specialisation There are minimum competency requirements established for the ICT security managers in state administration in- stitutions IT specialists from state and municipal insti- tutions participate in Be secure training seminars and annual brie ngs in the institutions however the acquired amount of knowledge is restricted and its use in practical situations is not being practised and tested Required actions 1 Assess and raise existing professional standards related to the ICT by including the requirements for the knowl- edge about and skills for cyber security 2 De ne increase and assess the professional competen- cies of experts responsible for cyber security and promote 9 the use of expert certi cations acquired abroad for the con rmation of such competencies 3 Promote the contribution of higher education institu- tions by including cyber security specialisation in study programmes 4 Perform a labour market analysis about the demand supply remuneration of cyber security experts and the employment level of experts prepared by educational institutions 5 Improve the competencies of the teaching staff in the area of cyber security and to support the preparation of methodological materials 4 2 RULE OF LAW IN CYBER SPACE AND REDUCTION OF CYBER CRIME Rule of Law in cyber space is based on the principle of equivalency which provides for the observation of laws and regulations both in the physical and the virtual en- vironment The state is obliged to ensure the basic rights and freedoms of any person laid down by the Constitu- tion and the observation of principles of universal rights irrespective of their eld of application The provided technological opportunities have favoured the increase of criminal offences in cyber space To commit such of- fences criminals use automatic data processing systems as a tool for committing crimes that direct them towards another protected or publicly inaccessible automatic data processing system or its resources An automatic data processing system can also be used as a medium for the circulation of illegal or offensive and defamatory incitement to racial hatred distribution of child por- nography etc information The reduction of cybercrime requires action in two basic 10 directions preventive work for the reduction of criminal offences and effective combating of crime The complicated structure and operation of cyber space out- line two problematic areas in the implementation of effective combating of cybercrime the understanding of the concept signi cant damage and its application is an im- portant precondition for establishing constituent elements of a criminal offence and appropriate quali cation and punish- ment of a criminal offence Secondly investigation and collec- tion of evidence in cyber space requires speci c knowledge Implementation of preventive actions requires organised ICT and a legislative base regulating its security as well as effective use thereof The existing capacity in combating cybercrime should be developed by strengthening elec- tronic evidence Investigation as well as collection and assessment of evidence requires special knowledge and a suf cient level of competence is crucial in law enforce- ment agencies prosecutor s of ces and courts to ensure the rule of law in cyber space Required actions 1 Assess the laws and regulations in the ICT sector as a foundation for applying the Latvian Administrative Violations Code and Criminal Law and to improve this foundation to ensure effective protection of individu- als interests through and in relation to criminal law 2 Assess the present situation and the necessary amend- ments in legislation that provide for punishment for causing damage to the security or operation of infor- mation systems directed towards automatic data pro cessing systems 3 Develop the terminology related to the information security and cyber security in the Latvian language and harmonise its use in the legislative enactments 4 Assess and improve the supervision of obligations in the area of cyber security laid down by the legislative enactments and to promote support for the ful l- ment thereof 5 Facilitate discussions and exchange of opinions about the identi cation of new ICT crimes and improvement of the legal basis for the restriction thereof in line with the international trends 6 Combat and investigate cybercrimes by assessing and improving the existing resources procedures coopera- tion mechanisms and their ef ciency 7 Assess and develop the existing capacity of acquiring and analysing evidence in the process of investigation of cybercrimes by developing the competence of SP and improving the cooperation with CERT LV 8 Develop methodical materials for studies about the ICT sector for the purposes of increasing the knowledge of police of cers persons directing the proceedings and judges about the ICT sector and to implement an in- depth training programme about the issues of combat- ing cybercrime 9 Develop a uni ed mechanism for listing the criminal offences in cyber space statistics in the system of police prosecution and court 4 3 PREPAREDNESS AND CAPACITY TO Acr IN CRISIS SITUATIONS Institutions which ensure national cyber security capabili- ties have been set up in Latvia Plans for action in the case of increased threat have been developed and are being regu- larly updated Cooperation with the Ministry of the Interior for solving different crisis situations has been established The involvement of experts is available in collaboration with the private sector However the present resources and measures are not suf cient and organised enough to ensure ef cient and prompt action in the case of serious and exten- sive security incidents or cyber attacks The present situation in Latvia and threats in cyber space as well as resources for the prevention of risks and man- agement of a crisis that are at the disposal of the state have been assessed in the cyber crisis exercise by the Cabinet of Ministers on 7 December 2012 Reduction of incidents and the prevention of a crisis require individual under- standing about cyber security and the responsibility of each organisation where CERT LV can give advice on daily work or provide support in cases of serious and unexpected incidents Considering the limited resources of the state administra- tion and the conclusions of the cyber crisis exercise the NAP are developing a Cyber Defence Unit to provide sup- port for CERT LV and NAP units in preventing ICT secu- rity incidents and management of consequences in crisis situations in cyber space or in war time The Unit would be used should CERT LV resources be insuf cient and involve- ment of the Unit would faster expedite the implementation of emergency measures or if the Unit had at its disposal special resources for perfong such activities I The Unit is being created as a back-up team of experts consisting of volunteers from the public and private sector accord- ing to the legal basis of the service of the National Guard To ensure the functioning and strengthening of the infra- structure of electronic communication the existing infra- structural capabilities should be developed especially with respect to resistance to the in uence of external conditions Concept of the National Armed Forces Cyber Defence Unit of the Mi nistry of Defence Riga 2013 11 as well as a new infrastructure for securing the basic func- tions of a state especially when the daily use of electronic communication networks can be restricted Required actions 1 Evaluate the de nition of a crisis its procedures leg islation and the use thereof in the case of a possible cyber crisis 2 Develop the capabilities of the NAF and the Cyber Defence Unit to react in a crisis situation and in man- aging the consequences of major incidents by providing and ensuring operational capability of the Unit 3 Develop information technology and communication systems for the NAF to ensure the support of NAF management capabilities in crisis situations 4 Organise regular theoretical and practical training at a national level with the involvement of high of cials and merchants in order to develop mutual understanding and coordinate the management of crisis situations 5 Improve the competence and resources of state insti- tutions when preparing and ensuring the presidency of the Council of the European Union in 2015 when global cyber attacks may be directed against Latvia 6 Develop regional and international cooperation to ensure regular training for providing and receiving support in a crisis situation 7 Establish an electronic communication network for emergency situations 8 Develop a technological and organisational solution that provides state institutions with infrastructure and ensures high con dentiality and integrity of and acces- sibility to state information systems 9 Strengthen the outer scope of the national external communication network establish categorise coordi- nate evaluate risks and make necessary improvements to ensure a reliable and secure ow of data between 12 Latvia and other countries but when necessary to use the network for changes in data ows or the restriction thereof between countries 4 4 An informed society is a crucial part of a secure and re- liable cyber space Awareness is ensured by purposeful and regular explanatory work including the policy and communication implemented by the leading of cials of a country raising the issues in educational institutions and organising regular discussions of experts in the media The level of awareness of a society about the threats to ICT tools available for their prevention personal rights in the electronic medium and their infringement as well as about action in the case of a threat is low According to the statistics of CERT LV in almost all cases when the devices of users have been infected and have become a part of bot- nets approximately 15-20 thousand a month the users have not deliberately caused damage and the cause of the infection is software that has not been updated or the lack of antivirus solutions when malicious e-mail attachments are opened Along with raising awareness of society it is important to increase understanding about ethical norms and moral responsibilities in the electronic environment To improve the knowledge of ICT users it is necessary to implement a set of complex measures starting from primary and secondary education It is necessary to organise reg- ular information campaigns in cooperation with non-gov ernmental and private institutions as well as constantly re ect the information in mass media At the moment cyber security issues are only tested in a uniform model in general education in an informatics examination knowl- edge test part at the secondary education level Although the average level of answered questions is comparatively high 2013 it is impossible to assess the actual actions of students in daily life The type of communica- tion channel content and methodology is to be applied according to the chosen target audience see Figure 1 To develop new study programmes and educate experts and professionals from other sectors experts in law about ICT issues a teaching staff with an appropriate competen- cy is required Competency should be increased by creating and supporting security research groups at universities and scienti c institutes These would attract Latvian spe- Figure 1 The level of cyber space security knowledge according to the target audience fade Develop motivate Reserach Innovation Opinion leaders 9nv1ronm Higher I Professional Create specialisation Expertise education Students Ed General Educational institutions ca knowledge Basic Society I All users Inform skills At the moment there are no academic study pro grammes and scienti c activity in the area of cyber security and people studying the respective subjects abroad are not motivated to return to Latvia due to low salaries lack of opportunities for professional devel- opment According to a study by the World Economic Forum Latvia ranks 110th with regard to the availabil- ity of scientists and engineers World Economic Forum The Global Competitiveness Report 2012-2013 p 227 cialists who are currently working abroad serve as a basis for the creation of a national cyber security including cryp- tography school provide the opportunity in the future to successfully participate in scienti c EU projects and nal- ly to create commercial products with a high added value Required actions 1 Increase the competency of educational institutions and teaching staff and their contribution to educating children and youth about the issues of ICT security by integrating these issues into the educational system and 13 14 organising learning activities that create understanding about information security privacy protection and the use of reliable e-services Additionally opportuni- ties must be ensured for children and youths to report violations on the Internet and to receive support from a Further education of the teaching staff about the issues of cyber security must be organized Develop educational and informative materials about cyber security for use in educational institutions and interest groups that are easily accessible and differenti- ated according to various age groups Develop academic studies and research in cyber se curity to train experts promote innovation establish public-private partnerships for the support of science and research and to attract European funds grants and nancial instruments Create an ICT security laboratory and to organise sci- enti c conferences about topical issues concerning cyber security and cybercrime in cooperation with universities and scienti c institutes Implement educational and informative campaigns and other measures for the overall enhancement of the understanding of society about the cyber security cy- bercrime and important threats to expand the accessi- bility of various ICT security software Develop the exchange of information and opinions among public administration associations of the sec- tor experts business leaders as well as creators of public opinion non-governmental organisations and the academic environment Participate in international informative initiatives and platforms use the European Cyber Security Month and the e-Skills Week to raise issues about the cyber security Promote innovation in the cyber security sector and develop a uni ed academic resource of high capacity computing supercomputer 4 5 INTERNATIONAL COOPERATION The opportunities and security threats provided by cyber space do not recognize national borders and therefore no state can effectively face new security challenges on its own Due to the awareness of the increasing role of cyber space in every society cyber security as an important issue has been included on the agenda of cross border cooperation and by international organisations In bilateral and multi- lateral cooperation a wide range of issues are usually con- sidered from Observation of human rights in the virtual environment to combating of crime often also involving the private sector Under these conditions different na- tional interests inevitably collide and thus far the inter- national community has not reached signi cant progress in creating a common understanding and approach At the same time many non-harmonised processes still take place It is important for Latvia to have knowledge of the work of international and regional organisations and to participate in this work while at the same time expressing support for ensuring the basic principles of a democratic society in the virtual environment It should be not only be safe but also free and accessible Latvia is taking part in international processes including the work of NATO the EU OSCE and UN to promote the improvement of a secure free and accessible cyber space Latvia supports the rst comprehensive resolution of the United Nations Human Rights Council on human rights in the virtual space and will continue to partici- pate and strengthen such initiatives as the Freedom Online Coalition which focuses on observing human rights and basic freedoms in cyber space especially the freedom of speech Latvia has joined the Council of Europe Convention on Cyber Crime and its Additional Protocol concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems According to the Convention all involved countries harmonise their legal regulations to cooperate in the investigation of crimes and to ensure that the people responsible for committing cybercrimes are held liable Cyber security is an important part of national defence and nationally developed defence capabilities can be strengthened by cooperating with NATO and EU mem- ber states in a crisis situation To receive effective support when necessary and to strengthen cyber security mea- sures in the Euro-Atlantic space the development of both collective and individual cyber protection capabilities of each member state should be facilitated in accordance with the approved NATO and EU cyber security planning documents NATO has approved the Cyber Defence Con- cept and Action Plan and corresponding planning docu- ments which provide for the necessity to promote the de- velopment of cyber security capabilities of both NATO as a whole and each individual member state Required actions 1 Strengthen cooperation with countries from the Bal- tic and Northern European countries and improve the cooperation with NATO the EU OSCE and UN to improve the security accessibility and freedom of ICT Support international efforts in enhancing mutual trust and cooperation emphasising the equal applicability of international legal norms to both the physical and the virtual environment Create a common Baltic university study programme to combine regional educational resources to preparing strong and quali ed experts Organise international cyber security events in Latvia on a regular basis highlighting Latvia as a country that takes care of the security of ICT at a national and inter national level Develop and test national procedures to receive prompt and effective help in case of a cyber threat according to the Memorandum of Understanding between Latvia and NATO and pursuant to the NATO Cyber Defence Concept and Action Plan Strengthen cyber protection capabilities by participat- ing in various international training courses exercises and cyber attack simulations within NATO the EU and other international organizations and forums giving local experts and the Cyber Defence Unit the opportunity to improve their knowledge about the latest solutions in information systems security 15 5 LINK TO OTHER DEVELOPMENT PLANNING DOCUMENTS National documents I National Security Concept I State Defence Concept I Law on the Security of Information Technology I Law on State Information Systems authored by I Sustainable Development Strategy of Latvia until 2030 I Guidelines for the Development of Information Soci- ety in 2014-2020 I Concept of the Organisational Model of the State Infor- mation and Communication Technology Management I Guidelines for the Electronic Communication Policy in 2011 2016 I Authentication Law authored by I Concept of the National Armed Forces Cyber Defence Unit of the Ministry of Defence 2013 16 International documents I UN Human Council resolution The promotion protection and enjoyment of human on the Internet I NATO Strategic Concept NATO Concept on Cyber Defence NATO Cyber Defence Policy Action Plan EU Cyber Security Strategy Convention on Cybercrime Budapest Convention Europe 2020 A Strategy for Smart Sustainable and Inclusive Growth I Digital Agenda of the EU I Directive of the European Parliament and of the Council on attacks against information systems 6 CONCLUSIONS An ex-ante evaluation of the proposed solution has not been carried out since cyber security is constantly and rapidly developing but the elds of action established in the guidelines are a continuation of priorities speci ed in the National Security Concept and actions initiated so far The evaluation of the cyber security provided for in the guidelines will create a basis for assessing and improving further policy and the action plan Based on the guidelines an action plan will be devel- oped which will include detailed results of the actions and calculations on the in uence on state and municipal budgets in 2014 and in the following years Every two years the Ministry of Defence performs an evaluation of the guidelines and implementation of the action plan within the Council and submits an informative report and if necessary proposals for raising the issues of the guidelines to the Cabinet of Ministers There are no policy planning documents that are be deemed as having lost their validity At the same time implementation of priorities laid down by the National Security Concept shall continue 17 7 ACRONYMS AND DEFINITIONS OF TERMS ACRONYMS CCDCOE CDU CERT LV CPB DISS DSI ENISA EU FCMC ICT IT Mo MOT NAF NATO NetSafe OSCE 818 SP SRDA UN 18 Bank of Latvia NATO Cooperative Cyber Defence Centre of Excellence in Tallinn Cyber Defence Unit of the National Armed Forces Information Technology Security Incident Response Institution Constitution Protection Bureau Defence Intelligence and Security Service Data State Inspectorate European Union Agency for Network and Information Security European Union Financial and Capital Market Commission Information and communication technology Information technology Latvian State Radio and Television Centre Ministry of Economics Ministry of Environmental Protection and Regional Development Ministry of Education and Science Ministry of Foreign Affairs Ministry of the Interior Ministry of Justice Ministry of Transport Ministry of Welfare National Armed Forces North Atlantic Treaty Organization Safer Internet Centre of Latvia Net-Safe Latvia Organization for Security and Co-operation in Europe Security Police State information systems State Police State Regional Development Agency United Nations TERMS ELECTRONIC COMMUNICATION OPERATOR A merchant or af liation of a foreign merchant who has the right to perform commercial activities provide a public electronic communication network or electronic communication services pursuant to the procedure laid down by the Law on Electronic Communications ELECTRONIC COMMUNICATION NETWORK Transmission systems commutation and routing devices including elements of the network that are not used and other resources that allow to transmit signals in the network with the help of cables radio waves optical or other electro- magnetic means irrespective of the information transmitted E-GOVERNMENT Effective management of the state and municipal admin- istration with the use of information and communication technology INFORMATION SOCIETY A society whose members are able and have the opportu- nity to acquire information with the help of information and communication technology link it with the existing knowledge and use the newly acquired knowledge for increasing their welfare INFORMATION TECHNOLOGY Technology that uses electronic processing of data in- cluding creation deletion saving re ection and transmit- ting for the purposes of performing the required tasks INFORMATION TECHNOLOGY SECURITY INCIDENT A harmful event or offence as a result of which the integrity availability or con dentiality of information technology is endangered INFORMATION AND COMMUNICATION TECHNOLOGY A set of knowledge methods and technical equipment that ensures acquisition storage and distribution of any informa- tion with the help of computers and communication tools CYBER SECURITY Cyber security is the collection of tools policies security concepts security safeguards guidelines risk manage- ment approaches actions training best practices as- surance and technologies that can be used to protect the cyber environment and organization and user s assets Or- ganisation and user s assets include connected computing devices personnel infrastructure applications services telecommunications systems and the totality of transmit- ted and or stored information in the cyber environment CYBER SPACE Cyber space is an interactive environment that includes users networks computing technology software pro- cesses information in transit or storage applications De nition by the International Telecommunication Union in the En- glish language Cyber security is the collection of tools policies security concepts security safeguards guidelines risk management approaches actions training best practices assurance and technologies that can be used to protect the cyber environment and organization and user s as- sets Organisation and user s assets include connected computing devic- es personnel infrastructure applications services telecommunications systems and the totality of transmitted and or stored information in the cyber environment ITU-T X 1205 19 services and systems that can be connected directly or indirectly to the Internet telecommunications and com- puter networks Cyber space has no physical boarders l CRITICAL INFRASTRUCTURE Critical infrastructure is the objects systems or their parts in Latvia which are important in providing the performance of functions essential to society as well as for ensuring the protection of human health secu- rity economic or social welfare whose destruction or malfunctioning may signi cantly in uence the perfor- De nition of the cyber space from the International Telecommu- nication Union National Cyber Security Strategy Guide in the English language We use the term cyberspace to describe systems and services connected either directly to or indirectly to the Internet telecommunica- tions and computer networks and the description of cyber space in the ITU recommendation This includes users networks devices all soft- ware processes information in storage or transit applications services and systems that can be connected directly or indirectly to networks X 1205 Available at 20 mance of state functions The critical infrastructure of information technology is protected in order to ensure the performance of basic functions essential to the state and society STATE INFORMATION AND COMMUNICATION TECHNOLOGY According to the scope and objective of the Concept of the Organisational Model of the State Information and Communication Management state information and communication technology in this document refers to in- formation and communication technology solutions and services used introduced maintained and operated by direct administration institutions and institutions under direct subordination or supervision thereof With respect to municipalities and legal entities or natural persons of private law delegated to perform the duties of the state the concept of state information and communication technology is applicable to the information and communi- cation technology solutions and services that are used in order to perform such delegated duties of the state NATIONAL Members of the Council Other it Functions 4 2 State 3 13 Electronic Private infrastructure information 5 communication businesses systems 5 providers STATE SECTOR PRIVATE SECTOR __Cyber space                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu