The National Cyber Security Strategy_Spain

8/16/2019 The National Cyber Security Strategy_Spain

1/43

NATIONALCYBER SECURITY STRATEGY

NIPO 002-14-024-X


2/43

NATIONALCYBER SECURITY STRATEGY


3/43

THE PRIME MINISTER

The use of Information and Communications Technologies has become wide-

spread in daily life in our country. This new scenario of possibilities offers un-precedented development in the exchange of information and communications,

but at the same time it entails serious risks and threats which can affect Na-

tional Security.

Several factors contribute to the proliferation of criminal actions in cyberspace:

the profitability of exploiting it in economic, political or other terms, the ease and

low cost of employing the tools used to stage attacks, and the ease with which

attackers can hide make it possible to carry out these activities anonymously

and from anywhere in the world, with crosscutting impacts on the public and

private sectors and on citizens themselves.

The different attacker profiles exploit technological vulnerabilities in order to

glean information, steal highly valuable assets and threaten basic services thatare essential to our country’s normal functioning. The peaceful enjoyment of

certain fundamental rights enshrined in our Constitution and in international law

can be seriously compromised as a result of actions of this kind.

Fully conscious of the importance of the matter and committed to the devel-

opment of the Digital Society, the National Security Council has promoted the

drafting of the National Cyber Security Strategy in order to provide a response

to the huge challenge entailed by protecting cyberspace from the risks and

threats hovering over it.

The National Cyber Security Strategy is adopted under, and aligned with, the

National Security Strategy of 2013, which includes cyber security in its twelve

areas of action.

The adoption of the present strategic document highlights the collective capa-

bilities and the commitment of a nation determined to guarantee its security in

cyberspace. For Spain, advances in the field of cyber security furthermore con

tribute to enhancing our economic potential, as they promote a more secure

environment for investment, job creation and competitiveness.


4/43

THE PRIME MINISTER

The National Cyber Security Strategy is the frame of reference of a comprehen-

sive model based on the involvement, coordination and harmonisation of all theState actors and resources, and on publicprivate collaboration and citizen par-

ticipation. Likewise, as cyber security is transnational, cooperation with the Eu-

ropean Union and other international organizations with responsibilities in this

field is an essential part of this model.

To achieve its objectives, the Strategy establishes an organisational structure

that is integrated into the framework of the National Security System. This

structure will underpin the single action of the State in accordance with princi-

ples shared by the actors concerned and in an appropriate institutional frame-

work.

This dependence on cyberspace requires us to devote all the necessary means

to placing our capabilities at the service of cyber security. The environment isdynamic and we face many uncertainties and challenges. Only if we are firmly

committed to the security of cyberspace will the competitiveness of our econo-

my and Spain’s prosperity be a possibility.

Mariano Rajoy BreyPrime Minister of Spain


5/43 NATIONAL CYBER SECURITY STRATEGY 2013 PRESIDENCY OF THE GOVERNMENT v

Contents

• Executive Summary ............................................................................... 1

•

Chapter 1Cyberspace and security ......................................................................... 7

• Chapter 2Purpose and guiding principles of cyber security in Spain ....................13

• Chapter 3

Objectives of cyber security ..................................................................19• Chapter 4

Lines of action of National cyber security .......... .... ....... .... ....... .... ... 29

• Chapter 5Cyber security in the National Security System ....................................41


6/43

ExecutiveSummary

Executive Summary


7/43

3

Executive Summary

T he National Cyber SecurityStrategy is the strategic document that provides the Spanish Government

withabasisfordevelopingtheprovisions

of the National Security Strategyon the

protectionofcyberspaceinorderto im

plementcyberthreatprevention,defence,

detection,responseandrecoveryactions

againstcyberthreats

The Strategy consists of five chap

ters. The first,entitledCyberspaceand

itssecurity,outlinesthecharacteristicsthat

define cyberspace, the opportunities it

provides and the security implications of

dependingonit.Thischaptershowshow

the par ticular character istics which are

commontocyberthreatsandthehighde

pendence of the economy and essential

services on cyberspace result in an in-

creaseinrisksandthreatswithapoten

tiallyseriousimpactonNationalSecurity.

The second chapter dealswiththe

Purpose and guiding principles of cyber secu-

rity in Spain.Itestablishesasapurposethe

settingofgeneralguidelinesforthesecure

useofcyberspacethroughacomprehen

sivevisionthatinvolvesthecoordination

ofthePublicAuthorities,theprivatesec

torandcitizensandchannelsinternational

initiativesinthisfield,respectingdomestic

andinternationallawandinlinewithother

nationalandinternationalstrategicdocu

ments.

The guiding principlesofcybersecurity

arenational leadership and the coordination

of efforts; shared responsibility; proportionali-

ty, rationality and efficiency; and international

cooperation as an extension of the basic

principlesoftheNationalSecurityStrate

gy.Theseprinciplesunderlinetheneedfor

developmentplanningofthecurrentcon

text,with special emphasis on protecting

the constitutional values as an element

commontoallfourprinciples.

Inthethird chapter, theStrategyex

aminestheCyber security objectivesingreat

erdetail.Anoverall objective istoensure

that Spain makes secure use of the Informa-

tion and Telecommunications Systems,

strengthening cyberattack prevention, de

NATIONAL CYBER SECURITY STRATEGY 2013 PRESIDENCY OF THE GOVERNMENT


8/43

NATIONAL CYBER SECURITY STRATEGY 2013 PRESIDENCY OF THE GOVERNMENT4

fence, detection, analysis, investigation, recov-

ery and response capabilities. The National

Cyber Security Policy must serve this pur-

pose.

The Strategy goes on to set up six spe-cific objectives: 1) for the Public Authori-

ties, to ensure that the Information and Tel-

ecommunications Systems used by them

have the appropriate level of security and

resilience; 2) for companies and critical infra-

structures, to foster the security and resil-

ience of the networks and information systems used by the business sector in general

and by operators of critical infrastructures

in particular ; 3) in the judicial and police field

operations, to enhance prevention, detec-

tion, response, investigation and coordina-

tion capabilities vis-à-vis terrorist activities

and crime in cyberspace; 4) in the field of

sensitisation, to raise the awareness of citi-

zens, professionals, companies and Spanish

Public Authorities about the risks derived

from cyberspace; 5) in capacity building, to

gain and maintain the knowledge, skills, ex-

perience and technological capabilities

Spain needs to underpin all the cyber secu-

rity objectives; and 6) with respect to inter-

national collaboration, to contribute to im-

proving cyber security, supporting the

development of a coordinated cyber secu-

rity policy in the European Union and in

international organisations, and to collabo-

rate in the capacity building of States that

so require through the development coop-

eration policy.

Chapter four lays down the Lines of

Action of National Cyber Security. Interde-

pendently, and in connection with the objectives established in the previous chapter,

the Strategy guides the action aimed at

achieving the objectives set out.

The fifth and last chapter is devot-

ed to Cyber security in the National Se-

curity System and establishes the organi-sational structure at the service of cyber

security. Under the direction of the Prime

Minister, the structure is comprised of

three bodies. One already exists – the

National Security Council as the

Government Delegated Commission for

National Security – and two are new: the

Specialised Cyber Security Com-

mittee, which will support the National

Security Council by assisting the direction

and coordination of the National Security

Policy in cyber security matters and by

fostering coordination, cooperation and

collaboration among Public Authorities

and between them and the private sec-

tor ; and the Specialised Situation

Committee which, with the support of

the Situation Centre of the National Se-

curity Depar tment, will manage cyber se-

curity crisis situations which, on account

of their cross-cutting nature or extent,


9/43

5

exceed the response capabilities of the Committeeswillactinacomplementary

usual mechanisms.The two Specialised manner.


C b


10/43

Cyberspaceand itssecurity

Chapter 1Cyberspaceand its security


11/43

9

Chapter 1Cyberspace and its security

T hedevelopmentofInformationandCommunicationsTechnologies(ICT)hasgivenrisetoanewspaceinwhichrelationsareconductedandinwhichthespeedandeasewithwhichinformationandcommunicationsareexchangedhaveovercomethebarriers

ofdistanceandtime.Cyberspace,thenamegiventotheglobalanddynamicdomaincom

posedoftheinfrastructuresofinformationtechnology–includingtheInternet–networks

andinformationandtelecommunicationssystems,hasblurredborders,involvingtheirusers

inanunprecedentedglobalisation thatprovidesnewopportunitiesbut alsoentails new

challenges,risksandthreats.

Oursociety’sdegreeofrelianceonICTandcyberspaceisgrowingdaily.Knowledgeof

itsthreats,managingtherisksandbuildinganappropriateprevention,defence,detection,

analysis,investigation,recoveryandresponsecapabilityareessentialelementsoftheNa

tionalCyberSecurityPolicy.

“Te development of IC has given rise to a new space in whichrelations are conducted and in which the speed and ease with whichinformation and communications are exchanged have overcome the

barriers of distance and time”



12/43

Theattacksderivedfromthesethreats,knownascyberattacks,generallyshareanumber

ofcommoncharacteristics:

Characteristics of cyber attacks

Low Cost

many of the tools used by attackers can be obtained free of charge or at a very low

cost.

Ubiquity and ease of execution

the execution of attacks is independent of the location of the aggressors, and in many

cases considerable technical knowledge is not necessary.

Effectiveness and impact

if the attack is well designed, it may achieve its desired objectives.The absence of

cyber security policies, insufficient resources and lack of awareness and skills can

facilitate this adverse outcome.

Reduced risk for the attacker

ease of concealment means that it is not easy to attribute a cyber attack to its real

perpetrator or perpetrators.This, coupled with a disparate or non-existent legalframework, makes it difficult to prosecute the action.

Thehostofpotentialattackersincreasestherisksandthreatsthatcanseriouslyjeopard

isetheservicesprovidedbythePublicAuthoritiesandtheCriticalInfrastructuresandthe

activitiesofcompaniesandcitizens.Furthermore,thereisevidencethatcertaincountries

havemilitaryandintelligencecapabilitiestocarryoutcyberattacksthatplaceNationalSe

curityatrisk.

“Cyber security is a necessityCybersecurityisanecessityofoursociety

of our society and our andoureconomicmodel.Giventheinfluence of Information andTelecommunications Sys- economic model” tems on the economy and public services,



13/43

NATIONAL CYBER SECURITY STRATEGY 2013 PRESIDENCY OF THE GOVERNMENT 11

Spain’s stability and prosperity largely depend on the security and reliability of cyber space

– qualities which can be jeopardised by technical causes, natural phenomena or deliberate

aggressions.

Risks and threats to national Cyber Security

FOREIGN STATES

CYBERSPACE

HACKING

ORGANISED CRIME

HACKTIVISTS

DOMESTIC THREATS

TECHNICAL CAUSES NATURAL PHENOMENA

INDIVIDUALS ACTING ALONE

CONFLICTS

TERRORISM SABOTAGE

CRIME ESPIONAGE

TERRORIST

ORGANIZATIONS

P


14/43

Purposeand guiding principles of cyber security

Chapter 2Purposein Spain

and guiding principlesof cyber securityin Spain


15/43


Chapter 2Purpose and guiding principlesof cyber security in Spain

S pain requires secure and reliable Information and Telecommunications Systems, bothfor its physical infrastructure (equipment and networks) and the intangible component(computer programmes, models or procedures).These systems, while allowing citizens and

companies access to cyberspace, store valuable information and support strategic services

for our nation that are essential to the correct functioning of our society.

The purpose of the National Cyber Se-

curity Strategy promoted by the National “Te purpose of the NationalSecurity Council is to establish general Cyber Security Strategyguidelines for the secure use of cyberspace, en

promoted by the Nationalcouraging a comprehensive vision, the applica-

Security Council is to establish tion of which helps guarantee our nation’s security and progress through appropriate guidelines for the secure use ofcoordination and cooperation among all the cyberspace”Public Authorities and with the private sector

and citizens, with utmost respect for the princi

ples enshrined in the Constitution and in the provisions of the Charter of the United Na

tions on the peace keeping and international security; and in consonance with the National

Security Strategy and initiatives developed in the European, international and regional

framework.

It likewise encourages Spain’s presence in international organisations and forums by

channelling international initiatives and efforts to protect cyberspace.

15


16/43

6

Guiding Principles

TheNational Cyber Security Strategy,intunewiththebasicprinciplesoftheNationalSecurityStrategyandasanextensionofthem,isunderpinnedandinspiredbythe

followingGuidingPrinciples:

the scope and complexity of the challenges of cyberspace require, in addition to determined

national leadership, appropriate coordination of the capabilities, resources and responsibilitiesinvolved. Both tasks are undertaken by the Prime Minister, who will direct and supervise the

National Cyber Security Policy in the framework of the National Security Council.

the crossborder nature of threats makes it essential to promote global cooperation, as many of

the possible measures will only prove effective if they are adopted internationally with appropriate

cooperation and coordination between the different countries.

All the public and private agents with responsibilities in these matters, also including citizens,

must feel involved in cyber security. For this purpose, intense coordination of the different

bodies of the Public Authorities is necessary together with appropriate publicprivatecooperation capable of ensuring the compatibility of initiatives and fostering the exchange of

information.

it is necessary to manage the risks derived from the use of technology in a dynamicmanner, balancing opportunities and threats and ensuring proportionality in the protection

measures adopted, which must be confidencebuilding elements and not hindrances to the

development of new services.

National

leadership andcoordination

of efforts

International

cooperation

Shared

responsibility

Proportionality,

rationality and

efficiency



17/43


Theyallrespectandstrengthentheprotectionandfullenjoymentofthefundamental

freedomsenshrinedinourConstitutionandininternationalinstrumentsasimportantas theUniversalDeclarationofHumanRights,theInternationalCovenantonCivilandPolitical

RightsandtheEuropeanConventionfortheProtectionofHumanRightsandFundamental

Freedoms.TheSpanishGovernmentundertakestodeveloppolicieswhich,byimproving

thesecurityoftheInformationandTelecommunicationsSystemsusedbycitizens,profes

sionalsandcompanies,preservethefundamentalrightsofthemall,especiallyinthemost

underprivilegedsectors.

17

Obj i


18/43

Objectivesofcyber security

Chapter 3Objectives ofcyber security


19/43

21

Chapter 3Objectives of cyber security

OVERALL OBJECTIVE

To ensure that Spain uses Information and Telecommunications Systems se

curely by strengthening prevention, defence, detection and response capa

bilities vis-à-vis cyber attacks.

T oachieveasecurecyberspace,aNational

CyberSecurityPolicywillbepromotedbydeveloping an appropriate regulatory frame

workandfosteringaStructurethatbringsto

getherandcoordinatesalltheinstitutionsand

agents with responsibilities in this area.This

Structurewillbebasedontheprincipleofeffi

ciencyandsustainabilityintheuseofresources,

guaranteeing theoptimal prevention, defence,

detection, analysis, investigation, recovery and

response capabilities of the Information and

TelecommunicationsSystemsvis-à-vispossible

cyberattacks.

“o achieve a secure cyberspace,a National Cyber Security Policywill be promoted by developing

an appropriate regulatory framework and fostering a

Structure that brings together

and coordinates all theinstitutions and agents withresponsibilities in this area”

ThestrengtheningofcybersecuritywillprovidethePublicAuthorities,theindustrialand

businesssector,thescientificcommunityandcitizensingeneralwithgreater confidencein

theuseofICT.Forthispurposethepublicorganisationsresponsiblewillworkincoordina tionwiththeprivatesectorandcitizensthemselvestoguaranteethesecurityandreliability

ofthesystemsthatunderpintheso-calledInformationSociety.



20/43

Also,indefenceofnationalinterest,theNationalCyberSecurityPolicywillbealigned

withinitiativessimilartothoseofthecountriesinourneighbourhoodandwiththeEuro-peanandinternationalorganizationswithresponsibilitiesinthisarea,particularlytheEU

CyberSecurityStrategy.

Finally,inordertoensuretheprotectionofthesystemsandtheresilienceoftheservices

ofthePublicAuthoritiesandCriticalInfrastructures,aswellastheavailabilityofreliable

products,itwillbenecessarytobolster,giveimpetustoandstrengthenthenationalcyber

securityresearchanddevelopmentcapabilitiesoftheICT.

InthisconnectionSpain,continuingwithitspolicyoftechnologicaldiversificationand

neutrality,willendeavourtousecomponentsthatarecertifiedasconformingtointerna

tionallyrecognisedstandards.

Theconsiderationsofthisoverallobjectivewillapplytotherestoftheobjectives.

OBJECTIVE I

To ensure that the Information and Telecommunications Systems used by the

Public Authorities have an appropriate level of cyber security and resilience

AconsiderablepartoftheICTsystemsoftheSpanishPublicAuthorities,theinformation

containedinthemandtheservicestheyprovideconstitutestrategicnationalassets.

Itisthereforeessentialtofostertheimplementationofacoherentandcomprehensive

nationalframeworkforpolicies,proceduresandtechnicalstandardsthathelpensurethe

protection of public information and its sys

temsandservices,andofthesupportingnet“It is essential to foster the

works. Thisframeworkwillbeakeytodevelimplementation of a coherentoping and implementing services that are

increasinglysecure. and comprehensive national

framework for policies,AdaptingthesystemsofthePublicAuthori- procedures and technical

tiestothisrealityinvolvesestablishingsecurity standards that help ensure theservicesinthem,improvingandexercisingtheir

protection of publicability toprevent, detect, respond toand re

information”coverfromincidents,developingnewtoolsandkeepingthelegalsystemuptodate.

22 NATIONAL CYBER SECURITY STRATEGY 2013 PRESIDENCY OF THE GOVERNMENT


21/43

23

Likewise,inadditiontoimprovingthecapabilitiesofthemilitary,Defenceandintelligence

systems,itisnecessarytobolsterthesecurityofthestrategicInformationandCommunica tionSystems,adaptingthemtothenewrisksandthreatsofcyberspace.

ThePublicAuthoritieswillbeactivelyinvolvedinaprocessofcontinuousimprovement

withrespecttoprotectingtheirICTsystems.Theauthoritiesarerequiredtosetanexample

inthemanagementofcybersecurity.

OBJECTIVE II

To foster the security and resilience of the Information and Telecommunica

tions Systems used by the business sector in general and the operators of

Critical Infrastructures in particular

When applying the principle of shared re

sponsibility,thePublicAuthoritiesmustmaintain “Ensuring the Protectioncloserelationswiththecompaniesthatmanage of Spain’s echnologicalInformation andTelecommunications Systemsrelevanttonationalinterests,exchangingknowl- Heritage”edgeinordertofacilitateappropriatecoordina

tionbetweenbothandamutualunderstanding

ofthecybersecurityenvironment.

InthisconnectionspecialmentionshouldbemadeofactionsaimedatensuringtheProtectionofSpain’sTechnologicalHeritage,whichistakentomeanthosetangibleornon-

tangibleassetswhichunderpintheintellectualandindustrialpropertyofthebusinesssector,

shapeourpresentandconditionfuturedevelopment.

Itisalsointerestingtodeterminetheimpactthatpotentialinterruptionordestructionof

thenetworksandsystemsthatprovideessentialservicestosocietymayhaveonSpain.As

theprivatesectorownsagoodmanyofthesesystems,themeasuresadoptedincyberse

curitymustbealignedwiththerequirementslaiddownintheregulationsontheProtection

ofCriticalInfrastructuresinordertoachieveacomprehensivesetofmeasurestobeap

pliedtotherelevantsectors.


http:///reader/full/Spain.Ashttp:///reader/full/Spain.As


22/43

4

OBJECTIVE III

To enhance prevention, detection, reaction, analysis, recovery, response, re

search and coordination capabilities vis-à-vis terrorist activities and crime in

cyberspace

“It is essential to strengthen

international judicial and police cooperation,establishing appropriate

instruments for collaborationand the exchange ofinformation and the

harmonisation of nationallegislation”

ICTareameans,anendoracombinationof

both, used by terrorist and criminal organisa

tionstoachievetheirobjectives.Tothisshould

beaddedthegrowingpossibilityofusingcyber

spaceasanobjectiveinitselftoperpetrateat

tacksagainstessential servicesorCritical Infra

structures.Inbothcasesitisnecessarytobolster

theprevention,detection,reaction,analysis re

covery,response,investigationandcoordination

mechanismsrelatingtothesekindsofcrimes.

ThepoliceandjudicialactionoftheStatein

cybersecuritymattersmustbeadaptedtothe

patternsofconductandtypesofcrimecommit

tedbyterroristsandcriminalsincyberspace,whoseobjectives–butnotmethods–usu

allycoincidewithtraditionalones.

Toeffectivelyaddressthesethreats,whichoftenextendbeyondStates’borders,itisessentialtostrengtheninternationaljudicialandpolicecooperation,establishingappropriate

instrumentsforcollaborationandtheexchangeofinformationandtheharmonisationof

nationallegislation,anddevelopingandmaintainingsoundandeffectiveregulations.

Likewise,itisnecessarytofostercitizencollaboration,facilitatingproceduresfortheac

cesstoandtransmissionofinformationofinteresttothepolice.

Successincombatingterrorismandcrimeincyberspacerequiresputtinginplacethe

mechanismsneededtoimprovethecapabilitiesofthepoliceinstitutionsandrelevantjudi

cialbodies.



23/43

25

OBJECTIVE IV

To raise the awareness of citizens, professionals, companies and Spanish Pub

lic Authorities about the risks derived from cyberspace

The Spanish Government, recognising the

importance of building and maintaining confi

dence in the InformationandTelecommunica

tions Systems used by citizens, professionals,

companiesandpublicsectorbodies,willunder

take the information and sensitisation actions

neededtoensurethattheyareallawareofthe

risksofoperatingincyberspaceandhaveknowl

edgeof,andaccessto,toolsthatmakeitspro

tectionpossible.

“Companies must be aware ofthe responsibility of ensuring

the security of their systems, the protection of their clients’ andsuppliers’ information and thereliability of the services they

provide”

Atthesametime,companiesmustbeawareoftheresponsibilityofensuringthesecurityoftheirsystems,theprotectionoftheirclients’andsuppliers’informationandthereli

abilityofthe services theyprovide.Maintainingconsumerconfidence isessentialto the

successofthedigitaleconomy.ThesameistrueofthePublicAuthoritiesandtheirrelation

shipwithcitizens.

Therefore,anessentialfunctionistopromoteasoundcybersecurityculturewhichpro-

videsallactorswiththenecessaryawarenessandconfidencetomaximisethebenefitsof theInformationSocietyandreducetoaminimumtheirexposuretotherisksofcyberspace

byadoptingreasonablemeasurestoguaranteetheprotectionoftheirdataandthesecure

connectionoftheirsystemsandequipment.

Theeffectivemanagementoftherisksderivedfromcyberspacemustbebuiltona

soundcultureofcybersecurity.Thisrequiresuserstobesensitivetotherisksentailedby

operatinginthisdomain,andtobefamiliarwiththetoolsforprotectingtheirinformation,

systemsandservices.



24/43

6

OBJECTIVE V

To gain and maintain the knowledge, skills, experience and technological ca

pabilities Spain needs to underpin all the cyber security objectives

Giventhestrategicimportanceofsecurityincyberspace,anabsolutepriorityistohave

qualifiedpersonnelatalllevels:government,management,operational,technicalandjudicial

bodies.

Furthermore,it is important to foster and

“It is necessary to foster and boostthetechnologicalcapabilitiesrequiredforreliablenational solutions thatenablesystemseffectively maintain R & D& I to be adequately protected from different

activity in cyber security” threats.

Toachievethisconfidence,itisnecessaryto

fosterandeffectivelymaintainR&D&Iactivityincybersecurity.ForthispurposethegroupofagentsinvolvedinICTmustbeappropriatelycoordinated,facilitatingcollaborationbe

tweencompaniesandpublicresearchbodiesandpromotingprojectsfortheevaluationand

certificationofsecurity.

Thequalificationofthepersonnelinchargeofthedirection,managementandimple

mentationofcybersecurityisafundamentalobjective,especiallyinthePublicAuthorities

andStrategicandCriticalInfrastructuresofnationalinterest.Whatismore,theuseofverifiedsecurityproductsisasignificantadditionalelementofprotection.

OBJECTIVE VI

To contribute to improving cyber security in the international sphere

ThedevelopmentofacoordinatedcybersecuritypolicyintheEuropeanUnionandin

theinternationalSecurityandDefenceorganisationsinwhichSpaintakespartwillbefos

teredandsupported,andcollaborationwillbecarriedoutincapacitybuildingofStatesthat

sorequirethroughthedevelopmentcooperationpolicy,helpingthemtoimplementacyber

securityculture.



25/43

27

Cooperationwillbefosteredintheframe

workoftheEUandwithinternationalandre

gionalorganisationssuchastheEuropeanDe

fence Agency (EDA), the European Union

AgencyforNetworkandInformationSecurity

(ENISA),theEuropeanCybercrimeCentreat

tachedtoEUROPOL,theUnitedNations(UN),

theOrganizationforSecurityandCooperation

in Europe (OSCE), the NorthAtlanticTreaty

Organization(NATO),andtheOrganizationforEconomic Cooperation and Development

(OECD),amongothers.

“Te development of acoordinated cyber security policyin the European Union and the

international Security andDefence organisations will be promoted and supported”

Togetherwiththecountriesbelongingtoourstrategicenvironment,effortsaimedat

achievingasecureandreliablecyberspacewillbepromotedbystrengtheninginternational

collaboration,creatingconfidencerelationshipsfortheexchangeofessentialcybersecurity

informationanddataandthedevelopmentofcooperationanddevelopmentinitiatives.Ac tionsdesignedtopromotetheadoptionofinternationalcybersecuritystandardsandtheir

progressiveraisingwilllikewisebecarriedout.


http:///reader/full/initiatives.Achttp:///reader/full/initiatives.Ac


26/43


To ensure that Spain usesInformation and

Telecommunications Systems

securely, by strengthening

prevention, defence, detection,

analysis, investigation, recovery

and response capabilities vis-à-vis

cyber attack.

OBJECTIVEI

OBJECTIVEII

OBJECTIVE

III

OBJECTIVEIV

OBJECTIVEV

OBJECTIVEVI

OVERALLOBJECTIVE

To contribute to

improving cyber

security in the

international

sphere

To ensure that the Information and TelecommunicationsSystems used by the Public Authorities have the

appropriate level of cyber security and resilience.

To foster the security and reslilience of the Information

and Telecommunications Systems used by the business

sector in general and operators of Critical Infrastructures

in particular.

To enhance prevention, detection, reaction, analysis,

recovery, response, investigation and coordination

capabilities vis-à-vis terrorist activities and crime incyberspace.

To raise the awareness of citizens, professionals,

companies and Spanish Public Authorities about the risks

derived from cyberspace.

To gain and maintain the knowledge, skills, experience

and technological capabilities Spain needs to underpin all

the cyber security objectives.

28

Lines of


27/43

Lines ofaction ofNationalcyber security

Chapter 4

Lines of actionof Nationalcyber security


28/43

31

Chapter 4Lines of action ofNational cyber security

The National Cyber Security Strategy for achieving the above objec-tives is based on the following Lines of Action:

LINE OF ACTION 1

Capability to prevent, detect, respond to and recover from cyber

threats

Increase prevention, defence, detection, analysis, response, recovery and coordination

capabilities vis-à-vis cyber threats, placing particular emphasis on the Public Authorities,

Critical Infrastructures, military and Defence capabilities and other systems of national in

terest.

TheSpanishGovernmentwilladopttherelevantmeasuresinthislineofaction,in

cluding:

• Broadenandimprovecapabilities todetectandanalysecyber threatsinorder to

enableattackproceduresandoriginstobeidentifiedandthenecessaryintelligenceto

begatheredforamoreeffectivedefenceandprotectionofnationalnetworks.

• Broadenand strengthencapabilities todetectand respond tocyber attacksdi

rectedagainstnational,regionalorsectorialtargets,includingcitizensandcompanies.

• Guarantee thecoordination,cooperationandexchangeof informationbetween

theCentralGovernment,theAutonomousRegions,LocalAuthorities,theprivatesector

andtheEUandinternationalbodieswithresponsibilitiesinthisfieldinordertoensure

continuousawarenessraising,trainingandresponsecapabilitythroughtheSystemforthe

ExchangeofInformationandReportingofIncidents.



29/43


• Ensure the cooperation of organisations with responsibilities in cyber security,

especiallybetweentheGovernmentCERToftheNationalCryptologyCentre(CCNCERT),theArmedForcesJointCyberDefenceCommand(MCCD),andtheCERTfor

SecurityandIndustry.TheCERTsoftheAutonomousRegions,thoseofprivateinstitu

tionsandotherrelevantcybersecurity servicesmustbecoordinatedwiththeabove

mentioneddependingontheresponsibilitiesofeachone,establishingtheappropriate

instrumentsforthispurpose.

• Developpreventionanddetectioninstructionsandkeep themupdated,including

proceduresforrespondingtocrisissituationsandspecificcontingencyplansvis-à-viscybersecurityincidentsthatarenationalinscope,ensuringtheyareintegratedintothe

NationalSecuritySystem.

• Develop

and

implement

a

Programme

of

Simulation

Exercises

for

Cyber

Security

Incidents,inordertoassessandimprovetheactionscarriedoutinthisfield.

• Broadenandcontinuously develop theCyber Defencecapabilitiesof theArmed

ForcesallowingthemtoappropriatelyprotecttheirNetworksandInformationandTel

ecommunicationsSystems,aswellasothersystemswhichaffectNationalDefence.The

implementationoftheJointCyberDefenceCommandwillbeconsolidatedanditwillbe

encouragedtocooperatewiththedifferentbodieswiththecapability torespondto

cyberincidentsinaspectsofcommoninterest.

• Boostmilitary and intelligencecapabilities todeliver a timely,legitimateandpro

portionateresponse incyberspace tothreats oraggressions thatcan affectNational

Defence.

32


30/43


LINE OF ACTION 2

Security of the Information and Telecommunications Systems that

underpin the Public Authorities

Ensure the implementation of the National Security Scheme, strengthen detection ca

pabilities and improve the defence of classified systems.

ThislineofactioncoverstheinitiativesneededtoprotecttheInformationSystemsof

theCentralGovernment, theAutonomous Regions, theLocalAuthorities andbodies

relatedorattachedtothem,aswellastheInformationandTelecommunicationsSystems

andinfrastructurescommontothemall.

Forthispurpose,theSpanishGovernmentwilladoptthefollowingmeasures,among

others:

• Ensure the full implementation of the National Security Scheme and establish the

necessaryproceduresforbeingregularlyapprisedofthestateofthemainsecurityvariablesofthesystemsinvolved.

• Broaden and improve the capabilities of the Government CERT – CCN-CERT

andparticularlyofitsDetectionandEarlyWarningSystems.

• Strengthen the security structures and surveillance capability of Information Sys

tems,particularlythosethathandleclassifiedinformation.

• Optimise the model whereby the Spanish Government bodies interconnect with

publicvoiceanddatanetworks,maximisingtheirefficiency,availabilityandsecurity.• Strengthen the implementation and security of the common and secure infra

structureintheSpanishpublicadministrationsystem(SARAnetwork),boostingitsuse

anditssecurityandresiliencecapabilities.

• Develop new secure horizontal services in accordance with the guidelines of the

DirectorateforInformationandCommunicationTechnologiesof theCentralGovern

ment,thebodyresponsibleforcoordinating,directingandrationalisingtheuseofICTin

theCentralGovernment.

• Step

up

national

activities

aimed

at

developing

and

evaluating

products,

services

andsystemsinordertoobtaintheircertificationbyspecificallysupportingthosewhich

underpinnationalsecurityneeds.

• Give impetus to the creation, dissemination and application of Best Practices in

CyberSecuritymatterswithinthedomainofthePublicAuthorities.

33


31/43


LINE OF ACTION 3

Security of the Information and Telecommunications Systems that

underpin Critical Infrastructures

Foster the implementation of the regulations on the Protection of Critical Infrastructures

and of the necessary capabilities for protecting essential services.

ItisnecessarytoincreasetheresilienceofSpain’sCriticalInfrastructurestoprevent

potentialdisruptionstothenormalfunctioningoftheessentialservices,whichcouldaf

fectSpanishpeople’sdailyactivity.

Inthisconnection,theSpanishGovernmentwilladoptthefollowingmeasuresamong

others:

• Ensure

the

implementation

of

the

regulations

on

the

Protection

of

Critical

Infrastructuresinordertoachieveasecuritythatembracesbothphysicalandtechnological

aspects. Tothisendtheincorporationofsuitablecybersecuritymeasuresintothediffer

entplansestablishedwillbeevaluated.

• Broaden and improve the capabilities of the CERT for Security and Industry,

boostingcollaborationandcoordinationwiththeNationalCentrefortheProtectionof

CriticalInfrastructures,withthedifferentbodieswiththecapabilitytorespondcyber

securityincidentsandwiththeoperationalunitsoftheStateLawEnforcementAgencies.• Encourageprivate-sector involvementin theProgrammesof simulationExercises

forCyberSecurityincidents.

• Developsimulationmodels thatallow theinterdependenceof thedifferentCriti

calInfrastructuresandtherisksaccumulatedbythemtobeanalysed.

34


32/43


LINE OF ACTION 4

Capability to investigate and prosecute cyber terrorism and cyber

crime

Strengthen capabilities to detect, investigate and prosecute terrorist and criminal activi

ties in cyberspace on the basis of an effective legal and operational framework.

Thislineofactionisfocusedoncombatingterrorismandcrimethatoperateincyber

space,whichplaysadualroleasbothaninstrumentthatfacilitatestheiractivitiesanda

directtargetoftheiraction. Thisconceptalsoincludesorganisationswhichusetechnol

ogyfortheirownfinancingorforprofit,makingcrimesandmoney-launderingpossible.

TheSpanishGovernmentwill take relevantmeasures inthislineofaction, among

them:

• Incorporate into the Spanish legal framework solutions to problems that arise in

connectionwithcybersecurityinordertoestablishtypesofcriminaloffencesandthe

workofthedepartmentswithresponsibilitiesinthisarea.

• Broaden and improve the capabilities of the bodies responsible for investigating

andprosecutingcyberterrorismandcybercrimeandensurethatthesecapabilitiesare

coordinatedwithactivitiesinthefieldofcybersecuritybyexchanginginformationand

intelligencethroughtheappropriatechannelsofcommunication.• Strengthen international police cooperation and foster citizen collaboration, es

tablishinginstrumentsfortheexchangeandtransmissionofinformationofinteresttothe

police.

•

Ensure

that

legal

professionals

have

access

to

information

and

resources

that

pro

videthemwiththenecessarylevelofknowledgeinthejudicialfieldtoapplytheassoci

atedlegalandtechnicalframeworkmoreeffectively.Inthisconnectioncooperationwith

theGeneralCouncilof the Judiciary, theStateLawyer’sOffice,theStateProsecutor’sOffice,theComputerCrimeProsecutor’sOfficeandtheGeneralCouncilofSpanish

Lawyersisparticularlyimportant.

35


33/43


LINE OF ACTION 5

Security and resilience of ICT in the private sector

Boost the security and resilience of infrastructures, networks, products and services us

ing instruments of public-private cooperation.

Thislineofactionisdesignedtoimprovethesecurityandresilienceofnetworks,productsandservicesusedbytheindustrialsectorindevelopingitsactivitybystrength

eningpublic-privatecollaborationwiththeindustrialsectorandinparticularwiththeICT

securitysector. TheparticipationofprofessionalCollegesandAssociations,amongothers,

willbevalued.

TheGovernmentwilldevelopthefollowingmeasures,amongothers:

• Foster

cooperation

between

the

public

and

private

sectors,

promoting

the

exchangeofinformationonvulnerabilities,cyberthreatsandtheirpossibleconsequences,

especiallyinrelationtoprotectingsystemsofnationalinterest.

• Promote cooperation with the industry sectors and cyber security services in

ordertojointlyimprovedetection,prevention,responseandrecoverycapabilitiesvis-à

visthesecurityrisksofcyberspace,givingimpetustotheactiveinvolvementofservice

providersandthedevelopmentandadoptionofcodesofconductandgoodpractice.

•

Foster

the

development

of

standards

in

cyber

security

through

the

national

and

internationalstandardisationandcertificationbodiesandinstitutions,andpromotetheir

adoption.

36


34/43


LINE OF ACTION 6

Knowledge, skills and R&D&I

Promote the training of professionals, give impetus to industrial development and

strengthen the R&D&I system in cyber security matters.

Thislineofactionenvisagesinitiativesthatneedtobeundertakeninordertoachieveandmaintainanappropriateleveloftrainingincybersecurityforprofessionals(knowl

edgeandskills)andtoboostSpanishindustryandR&D&I. TheSpanishGovernmentwill:

• DevelopaFramework for Cyber Security Knowledgein the technical, operational

andlegalfields.

• Extend and broaden talent recruitment, advanced research and training pro

grammesincybersecurityincooperationwithUniversitiesandspecialisedcentres.

• Establishmechanisms thatallow thecyber security prioritiesanddemandsof the

publicauthoritiestobeidentifiedatanearlystageinordertoincorporatetheminto

previousinitiatives.

• Foster theindustrialdevelopmentof cyber security productsandservices through

instrumentssuchas,amongothers,theStatePlanforScientificandTechnicalResearch

andInnovationandinitiativesforsupportingitsinternationalisation.

• Promote

the

national

coordination

and

stimulation

of

the

industrial

and

cyber

securityservicessectorinordertoimprovecompetitiveness,internationalisation,identi

ficationofopportunities,eliminationofbarriersandregulatoryguidance,amongother

activities.

• Promotecyber security certicationactivitiesinaccordancewith theinternation

allyrecognisednormsandstandards,incorporatingthesecriteriaintoprocessesforthe

developmentandacquisitionofproductsorsystems.

• Promote

models

and

techniques

for

analysing

cyber

threats

and

measures

for

protectingproducts,servicesandsystems,aswellastheirspecification,evaluationand

certification.

37


35/43


LINE OF ACTION 7

Cyber security culture

Raise the awareness of citizens, professionals and companies about the importance of

cyber security and the responsible use of new technologies and the services of the Informa

tion Society.

TheSpanishGovernmentwilladapt,fosterordeveloprelatedmeasures,including:

• Giveimpetus tosensitisationactivities toensure thatcitizensandcompanieshave

accesstoinformationaboutvulnerabilitiesandcyberthreatsandaboutthebestwayof

protectingtheirtechnologicalenvironment.

• Promote thedevelopmentof Cyber Security Awareness-Raisingprogrammes in

collaborationwithpublic-andprivate-sectoragents,fosteringthenecessarycoordinationandrationalisationofeffortsthroughbodieswithresponsibilitiesinthisfield.

• Foster

the

mechanisms

for

supporting

companies

and

professionals

in

the

secure

useofICT,bolsteringknowledgeinsecuritymatters,promotingtheadoptionoftools,the

disseminationofregulationsandtheuseofgoodpractices.

• Adviseonandsupport thedevelopmentof educationmodulesfor sensitisationin

cybersecurity,aimedatalllevelsofteaching.

38


36/43


LINE OF ACTION 8

International commitment

Promote a secure and reliable international cyberspace, in support of national interests.

Technologicalglobalisationanditsopportunitiesandrisksmakeitnecessarytoalign

theinitiativesofallcountriesthatpursueasecureandreliablecyberspace.

Theseinter nationaleffortsmustenvisagethedraftingandadoptionofglobalstandards,theexpan

sionofthecapabilitiesoftheinternationallegalsystemandthedevelopmentandpromo

tionofbestpracticesinassessingthesituation,warningandresponsetocyberincidents.

Withinthis lineofaction,theSpanishGovernmentwilldevelopthefollowingmeas

ures,amongothers:

• Enhance

Spain’s

presence

at

international

and

regional

organisations

and

forumsoncybersecurity,supportingandtakinganactiveroleinthevariousinitiativesandcoor-

dinatingthepositionofthenationalagentsinvolved.

• Promote legislativeharmonisationand international judicialandpolicecoopera

tionincombatingcybercrimeandcyberterrorism,supportingthenegotiationandadop

tionofinternationalconventionsonthesematters.

• Foster thesigningof agreementswithininternationalorganisationsandwithprin

cipalpartnersandallies,inordertostrengthencooperationincybersecurityanddevelopacoordinatedapproachforcombatingcyberthreats.

• Giveimpetus to theestablishmentof internationalchannelsof information, detec

tionandresponse.

• Promote thecoordinatedparticipationof public institutionsand theprivatesec

torininternationalexercisesandsimulations.

• In thescopeof theEU, collaborateinharmonisingnationallegislations, implement

ingtheEUCyberSecurityStrategyandpromotinganinternationalpolicyincyberspace.

• Foster cooperationwithNATO in Cyber Defence, particularly with respect to

respondingtocyberincidentsandexchangingtechnicalinformationonthreatsandvul

nerabilities,whilepromotingactionswithintheOrganizationaimedathighlightingCyber

Defenceasoneofitspriorities.

39


37/43

LINE OF ACTION CONTENT

1

Capability to prevent, detect,

respond to and recover from

cyber threats

Increase prevention, defence,detection, analysis,response,recovery

andcoordinationcapabilitiesvis-à-viscyberthreats,placingparticular

emphasis on thePublicAuthorities, Critical Infrastructures, military

andDefencecapabilitiesandothersystemsofnationalinterest.

2

Security of the Information

and Telecommunications Sys

tems that underpin the Public

Authorities

EnsuretheimplementationoftheNationalSecurityScheme,strength

endetectioncapabilitiesand improvethe defenceof classifiedsys

tems.

3

Security of the Information

and Telecommunications Sys

tems that underpin Critical

Structures

Foster theimplementationof theregulations on theProtectionof

CriticalInfrastructuresandofthenecessarycapabilitiesforprotectingessentialservices.

4

Capability to investigate and

prosecute cyber terrorism and

cybercrime

Strengthencapabilitiestodetect,investigateandprosecuteterrorist

andcriminalactivitiesincyberspaceonthebasisofaneffectivelegal

andoperationalframework.

5Security and resilience of ICT

in the private sector

Boost

the

security

and

resilience

of

infrastructures,

networks,

products

andservicesusinginstrumentsofpublic-privatecooperation.

6 Knowledge, skills and R&D&IPromotethetrainingofprofessionals,giveimpetustoindustrialdevel

opmentandstrengthentheR&D&Isystemincybersecuritymatters.

7 Cyber security cultureRaisethe awarenessof citizens,professionalsandcompaniesabout

the importance of cyber security and the responsible use of new

technologiesandtheservicesoftheInformationSociety.

8 International commitmentPromoteasecureandreliableinternationalcyberspace,insupportof

nationalinterests.


Cyber securit


38/43

Cyber securitin theNationalSecurity System Chapter 5

Cyber securityin the NationalSecurity System


39/43


Chapter 5Cyber securityin the National Security System

T hecomprehensivevisionofcybersecurityenshrinedinthisStrategy,thedetectedrisks

andthreatsthataffectitandthestatedobjectivesandlinesofactionforprovidingan

appropriatejointresponsetopreservingcybersecurityinaccordancewiththeprinciples

thatunderpintheNationalSecuritySystemexplaintheneedforanorganisationalstructure

tailedtothesepurposes,whichwillconsistofthefollowingcomponentsunderthedirection

ofthePrimeMinister:

A. TheNationalSecurityCouncil;

B.

The

Specialised

Cyber

Security

Committee;

C. TheSpecialisedSituationCommittee,whichisuniquetothewholeNationalSecu

ritySystem.

Organisational structure of cyber security

43


40/43

ORGANISATIONAL STRUCTURE OF CYBER SECURITY

a) National Security Council:

TheNationalSecurityCouncil,whichistheDelegatedCommissionoftheGovernment

forNationalSecurity,assiststhePrimeMinisterindirectingtheNationalSecurityPolicy.

b) Specialised Cyber Security Committee:

TheSpecialisedCyberSecurityCommitteewillsupporttheNationalSecurityCouncilin

performingitsfunctions,particularlyinassistingthePrimeMinisterindirectingandcoordi

natingtheNationalSecurityPolicyinthefieldofcybersecurity.Itwillfurthermorestrength

encoordination,collaborationandcooperationrelationsamongthedifferentPublicAu

thoritieswithresponsibilitiesincybersecuritymattersandbetweenthepublicandprivate

sectors,andwillfacilitatetheCouncil’sdecisionmakingbyanalysing,studyingandproposinginitiativesatboththenationalandtheinternationallevels.

ThecompositionoftheSpecialisedCyberSecurityCommitteewillreflectthespectrum

ofareascoveredbythedepartments,bodiesandagenciesofthePublicAuthoritieswith

responsibilitiesincybersecuritymatters,inordertocoordinateactionsthatneedtobead

dressedjointlywiththeaimofraisingsecuritylevels.

Otherrelevantprivate-sectoractorsandspecialistswhosecontributionisdeemednec

essarymaytakepartintheCommittee.

Incompliancewithitsfunctions,theSpecialisedCyberSecurityCommitteewillbesup

portedbythe National Security DepartmentasaTechnicalSecretariatand permanent

workingbodyoftheNationalSecurityCouncil.



41/43

c) Specialised Situation Committee:

TheSpecialisedSituationCommitteewillbeconvenedtomanagecrisissituationsinthe

fieldofcybersecuritywhich,onaccountofthesignificantcross-cuttingnatureortheextent

andimpactoftheireffects,exceedtheeffectiveresponsecapabilitiesoftheusualmecha

nisms, whilealways respecting the responsi

bilitiesassignedtothedifferentPublicAuthor

itiesinordertoguaranteeanimmediateand “Te Specialised Cyber Security

effective response through a single body in Committee and the SpecialisedchargeofthestrategicandpoliticaldirectionSituation Committee will act in

ofthecrisis.a complementary manner, each

The SpecialisedCyberSecurity Commit- in its own area of responsibility, teeandtheSpecialisedSituationCommittee but under the same strategic andwillactinacomplementarymanner,eachin political direction of the Nationalitsownareaofresponsibility, butunderthe

Security Council chaired by thesame strategic and politicaldirectionof the Prime Minister”National Security Council chaired by the

PrimeMinister.

TheSpecialisedSituationCommitteewillbesupportedbytheSituationCentreofthe

NationalSecurityDepartmentinordertoensureitisinterconnectedwiththeoperational

centresinvolvedandtoprovideanappropriateresponseincrisissituations,facilitatingtheir

monitoringandcontrolandthetransmissionofdecisions.

ToensuretheeffectivefulfilmentofitsfunctionsofsupportingtheSpecialisedSituation

Committee,theSituationCentreoftheNationalSecurityDepartmentmaybereinforced

withspecialisedpersonnelfromministerialdepartmentsorbodieswithresponsibilitiesin

thisarea,whowillmakeupthespecificCoordinationCellinthefieldofCyberSecurity.

NATIONAL CYBER SECURITY STRATEGY 2013 PRESIDENCY OF THE GOVERNMENT 45


42/43


IMPLEMENTATION

ThesettingupoftheSpecialisedCyberSecurityCommitteeandtheSpecialisedSitua tionCommitteeandtheharmonisationoftheirfunctioningwiththeexistingbodieswillbe

carriedoutgraduallythroughtheapprovalofthenecessarylegalprovisionsandreadjust

mentsoftheexistingones,inordertoachievethecoordinatedandefficientfunctioningof

thesecomponentsoftheNationalSecuritySystem.

46


43/43

www.lamoncloa.gob.es
http:///reader/full/www.lamoncloa.gob.eshttp:///reader/full/www.lamoncloa.gob.es

Documents

The National Cyber Security Strategy_Spain