Romania`s cybersecurity strategy – a short introduction

Author: Oxana Gorgan

The growing number of major cybersecurity threats, including the ones targeting the state institutions, has drawn the general public’s attention to the severity of the cybersecurity attacks that can underpin the normal functioning of the Romanian society. This is especially so, since it was proven that the subjects of such attacks can include individuals, non-governmental organizations and private entities, and not only the government and other public institutions. Through this article, we aim to present, in a concise manner, Romania`s cybersecurity strategy with its five objectives assumed and correlative actions planned for the following years.

Background

The end of 2021 marked an exciting development in Romania`s cybersecurity legal framework, as the Government approves Romania`s new Cybersecurity Strategy and Action Plan for 2022-2027 (hereinafter “the Strategy”), revising the Cybersecurity strategy of 2013.

There are a number of factors that made the Cybersecurity Strategy adopted in 2013 obsolete and led to what is referred to as Romania`s Cybersecurity Strategy 2.0:

• The continuous evolution of the cyberattacks, both from a number and complexity perspective;
• The potential regional or global effect of cyberattacks, due to the interconnectivity of services;
• The accelerated development of new technology (such as Internet of Things, Artificial Intelligence, Machine Learning, 5G and future generations);
• Locating the new European Cybersecurity Industrial, Technology and Research Competence Centre in Bucharest, which will play an important role in connecting relevant public actors with those in research and industry.

In response, the Strategy envisions that Romania shall develop and strengthen its capabilities for prevention, deterrence and response, as well as resilience, including through a proactive approach.

Objectives and actions to be taken

The Strategy identifies 5 objectives, which are meant to, on the one hand, consolidate the national cybersecurity and Romania`s role on a regional, European and international level, and on the other hand to develop a high-performance digital ecosystem:

A. Secure and resilient computer networks and systems

Ensuring the security and resilience of the networks and systems is essential in maintaining a safe economical and social environment, especially from the perspective of protecting the activities related to essential services. From this last point of view, one could see how this objective is also in line with the goals of the revised NIS Directive, known as  NIS2 Directive (Read more about it here).

The recently published study on the “Strategic Resilience of the European Union, including in the technological and digital fields: future scenarios and Romania’s contributions”, carried out within of the Strategy and Policy Studies (SPOS) series 2021, sheds more light into the concept of strategic resilience and its direct applicability at both EU and national level for Romania.

In order to reach this objective, the Strategy proposes:

• Implementing internal policies and measures that should be applied by the entire staff of an entity;
• Developing detection, investigation and counteraction capabilities for national authorities and institutions;
• Efficient allocation of financial, technological and human resources, in order to reach specialization among operators, authorities and public institutions in the cybersecurity field;
• Strengthen the mechanism for reporting cyber security incidents, especially when it comes to essential entities or entities of critical importance in the field of cybersecurity;
• Creation of certification, compliance and standardization mechanisms in the field of cyber security, for a better identification of cyber risks and vulnerabilities of hardware and software products;
• Securing the supply chain.

The main actions planned in order to implement this objective are the adoption of different sets of guidelines on cybersecurity policies and measures, addressed to both private and public entities; providing support and consultancy for investments in technologies necessary to ensure cyber security and resilience; coordination and prioritization of budget allocations for the cybersecurity component from EU grants, PNRR, etc.; creating a clear set of technical and non-technical verification criteria etc.

B. Consolidated regulatory and institutional framework

The second objective is meant to develop and make more efficient the forms of cooperation between every relevant interested party in the field. It shall do so through:

• Strengthening the regulatory framework, by having it adapted to the permanent technological evolution and in line with the international framework;
• Strengthening the institutional framework. Both the Cyber Security Operational Board and the National Cyber Security Directorate shall improve cooperation and coordination with the relevant parties.

As for the actions planned for the implementation of this objective, one should keep an eye especially on the introduction of the draft Law on Security and Cyber ​​Defense in the legislative initiative proposals of the Ministry of National Defense.

C. Pragmatic public-private partnership

The third objective focuses on the need to ensure a pragmatic partnership between public authorities and institutions from the public administration, private entities, academia and research and citizens, in order to bring major economic and social benefits to our society. In this sense, it shall:

• Carry out public awareness programs and raising the level of cyber security culture
• Develop educational programs in the field of cyber security
• Carry out professional training programs for those who carry out activities in the field of cyber security
• Develop and consolidate security research and innovation in the field of cyber security
• Develop the national cybersecurity industry

Implementing this objective implies actions such as conducting awareness and information programs, development and implementation of cybersecurity study programs at pre-university, or of training centers addressed to different professional fields, boosting and providing consultancy and financial support for initiatives for the development of outdoor incubators and start-ups in the field of cybersecurity etc.

D. Resilience through a proactive approach and discouragement

This objective aims to create a framework that allows the implementation of all the necessary proactive measures, and also to ensure the capabilities and mechanisms that would deter cyberattacks that disrupt the society or national security. The measures envisioned in implementing this objective are the:

• Development of sectoral CERTs and Operational Security Centers (OSCs), with a role in creating rules and procedures in cybersecurity and shared expertise
• Carrying out exercises with practically high applicability, in cooperation with the private and academic environment
• Developing proactive, reactive and discouraging skills

The actions planned are as follows: providing support and consultancy in order to set up sectoral CERT and OSC teams, organizing and participating in national or international exercises with practical applicability in the field of cybersecurity and organizing civil-military exercises for training and coherent integration of specific procedures for responding to cyber security incidents etc.

E. Romania – relevant actor in international cooperation architecture

With due consideration to the fact that cyber threats are not limited within the border of a state, this objective aims to adopt an active participation and reaction strategy in regards to the implementation of international initiatives, policies and dialogues in the cybersecurity field. The key measures to be taken are:

• Strengthening Romania’s role globally
• Strengthening Romania’s role at regional and bilateral level
• Strengthening the role of cyber diplomacy
• Strengthening the capacity to transfer expertise at regional level

Among the actions planned are: creating inter-institutional mechanisms to define national positions and strategies on current cybersecurity issues, implementing the measures provided in EU Cyber Diplomacy Toolbox, creation of a position of high-level diplomatic representation – Ambassador / Representative with special tasks, launching projects with regional impact to ensure the transfer of knowledge and expertise to the states in the region etc.

Where does the Strategy stand when compared with the future European plans in the cybersecurity area?

On 16 December 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy adopted a new EU Cybersecurity Strategy. When comparing the two strategies, there are easily identifiable common points, especially in what concerns resilience, leadership, cooperation and a cyber-skilled workforce. Nonetheless, one can observe a more focused approach on prevention, deterrence and response in tackling cybercrime in the EU strategy, which acknowledges that “deterrence cannot be achieved through resilience alone”.

Conclusion

With a strong focus on cooperation, efficient communication and proactive strategy, the new Cybersecurity Strategy and Action Plan is undeniably a welcomed step forward into creating a more adapted and safer cyberspace for our society and a good response to the constantly growing number of cyber-attacks. The measures envisioned and actions planned for 2022-2027 will, for sure, have a big impact on the way private and public activities are currently handled. That is why we advise taking a close look on the adoption process of the Law on Security and Cyber Defense, be mindful of the guidelines and recommendations issued by the competent authorities (see for example the Practical Guide for ESOs – Implementing minimum requirements for ensuring the security of networks and information systems) and start implementing measures that would strengthen the resilience of the internal cybersecurity policy.