Information and communications technologies and systems are one of the most important drivers of social and economical development today, whilst undoubtedly being necessary tools for the operation of functional and social structures in any country. As a result of this, a vital need is created for these technologies to offer security in their use, which is defined as the preservation of the principles of confidentiality, integrity and availability of information during its transmission, processing and storage. These principles lead to the building of trust in information systems and electronic services, which is considered a prerequisite for the continued development and growth in this valuable sector of the economy. Network and information security, and more generally cybersecurity, operates to maintain the above principles.
This Strategy aims to establish a safe electronic environment in the Republic of Cyprus, with specific considerations and actions for the protection of critical information infrastructures, whose disruption or destruction would have severe consequences to vital societal functions. The development and preparation of this Strategy has followed a holistic approach for responding to threats in cyberspace, recognising that a valid strategy must offer multiple levels of security.
The European Commission has set strong targets for the area of network and information security, which are evident from its intensified activities in this area, in cooperation with member states and with ENISA (European Network and Information Security Agency). The new European Regulatory Framework for Electronic Communications places special emphasis on the area of security and integrity of networks and services, and also on the area of protection of personal data. One of the main targets of the Commission is the development of National Strategies for network and information security (like this document), the development of National Contingency Plans for related matters and the creation of CERTs (Computer Emergency Response Teams) for incidents that involve electronic security breaches.
Even though the area of network and information security is not a new one, and there have been a number of related actions by various competent state authorities in the past, this document represents the first organised approach for coordinated response to threats that manifest in cyberspace, on a National level. The following priority areas have been identified to meet this target: coordination of the governmental stakeholders, development of a complete legal framework, technical and procedural measures, capability development and training, productive collaboration between the public and private sector and the creation or adaptation of the necessary structures and instruments within the Cyprus Government. This strategy document contains a series of actions that have been identified to achieve the goals discussed above, in the following areas:
- Organisational structures
- Legal Framework
- Collaboration between the public and private sectors
- Identification of Critical Information Infrastructures
- Threat landscape analysis
- National Cybersecurity Framework
- Incident response
- National and International Cyber Exercises
- Capability Development
- Cooperation with external agencies and international working groups
- Development of a National Contingency Plan for Critical Information Infrastructures
- Modelling and analysis of interdependencies.
Short summaries of the Actions, together with an initial graphical assessment of the interdependencies between them, are presented in Appendices I and II respectively.
This document also analyses the immediate actions that are to be taken within Phase A (see section 3.2), as well as the next steps that must follow, such as the detailed planning and costing for each action, the prioritisation and planning of the national cybersecurity programme, and the assessment of the results of the strategy actions that will follow. It should be noted that the Cybersecurity Strategy of the Republic of Cyprus will be reviewed on a regular basis, taking into account the results of the assessment process, as well as new threats that appear (and will continue to appear) in cyberspace. The targets are to perform a holistic assessment of the results of the above actions and to update the strategy accordingly so that it continues to be in a position to provide the maximum benefit to Cypriot society.