10 August 2021
On June 29, 2021, the International Telecommunication Union officially launched the 4th edition of the Global Cybersecurity Index (GCIv4). According to GCIv4, in terms of cybersecurity, the Republic of Kazakhstan ranks 31st in the world and second in the CIS region after the Russian Federation. For comparison: a year earlier the Republic of Kazakhstan ranked 40th in the world.
The ranking of countries in the Global Cybersecurity Index is compiled based on five criteria: legal measures, technical measures, organizational measures, capacity development and cooperation. The GCIv4 report provides data for 193 countries.
In an interview with the ITU Regional Office for CIS Region, Ruslan Kenzhebekovich Abdikalikov, Chairman of the Information Security Committee of the Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan, shared his country's experience in developing a National Cybersecurity Concept.
Currently, the Republic of Kazakhstan has approved and is successfully implementing National Cybersecurity Concept "Cyber Shield of Kazakhstan". What were the preconditions to the development the Concept, and how was the concept development process organized?
The precondition to the development of the Cybersecurity Concept was the fact that new technologies, electronic services have become an integral part of the daily life of society. As we become more and more dependent on information technology every day, the protection and availability of these technologies has become a major topic for the state.
That is why on January 31, 2017, in his Address to the people of Kazakhstan, the First President of the Republic of Kazakhstan, Nursultan Nazarbayev, emphasized that the fight against cybercrime is becoming increasingly important, and instructed the Government of the Republic of Kazakhstan to take measures to create the Cyber Shield of Kazakhstan. And literally 5 months later, the Cybersecurity Concept ("Cyber Shield of Kazakhstan") was approved by the Government.
Could you briefly introduce the main provisions of the National Cybersecurity Concept and tell which organizations, in addition to the Ministry of Digital Development, Innovation and Aerospace Industry, participated in its creation and how did you interact with them?
Initially, the draft Concept was prepared by the Ministry based on information about the current situation in the country in the field of cybersecurity. However, this concept took into account only the interests of the state. While according to the legislation of Kazakhstan, any normative legal act must undergo a public discussion, and such a public discussion took place. As a result, the draft cybersecurity concept was criticized by the professional community for being "one-sided".
As a rule, everyone criticizes new national projects, but much less are ready to do something to change the situation for the better. In our case, we were pleasantly surprised that a pool of cybersecurity professionals has already created in Kazakhstan, and we work together to this day.
Based on the outcomes of the public discussion, a working group was created, including parliamentarians, representatives of state bodies, professional and industry associations, higher educational institutions and the IT industry. The group analyzed the current situation in the field of informatization of government agencies, automation of public services, prospects for the development of the digital economy and technological modernization of production processes in industry, expanding the scope of provision of information and communication services. It also studied a wealth of international experience related to different approaches to protecting national information and communication infrastructure.
As a result of extended work process, the Concept was development and approved. This document is being implemented to this day in accordance with the Action Plan for the period until 2022. The Concept defines not only the main directions for the implementation of the state policy in the field of protecting objects of informatization, but also the necessary measures to increase the level of legal, industrial culture of cybersecurity.
The implementation of the Concept allows us to increase the country's readiness to prevent and promptly respond to information security incidents. The Concept also provides basic definitions in the field of cybersecurity and provides the necessary explanations, thus aiming to increase general awareness of the sources of such incidents and the nature of the threats.
What problems related to ensuring national cybersecurity have you identified and how are they being solved? Are you ready to share your experience and, possibly, provide recommendations on building national cybersecurity strategies to other countries in the region?
In the Concept we tried to describe key problems we encountered. In short, these are:
- insufficient awareness of citizens about cybersecurity threats;
- shortage of information security professionals;
- insufficient coverage of infrastructure by means of information protection;
- neglect of information security requirements by organizations;
- small number of trusted software products used in the public sector;
- risks associated with the provision of electronic public services.
To solve the problems and tasks reflected in the Cybersecurity Concept ("Cyber Shield of Kazakhstan"), the Action Plan for the period up to 2022 was approved. We recommend that countries conduct an analysis of the current cybersecurity situation, identify key challenges and threats, learn from the experience of other countries, outline objectives and formulate an action plan to implement a cybersecurity strategy.Kazakhstan is ready to share its experience in the field of cybersecurity in a bilateral/multilateral format.
The continuous development of digital technologies also leads to the emergence of new vulnerabilities and cyber threats. Do you plan to revise the Concept?
The "Cyber Shield of Kazakhstan" Concept was approved for a medium-term of 5 years. At the same time, some activities that were not reflected in the Cybersecurity Concept are included in the State Program "Digital Kazakhstan", the National Security Strategy, as well as in the intradepartmental plans of state bodies.
At the same time, we understand that with the development of technology, security threats are also progressing. Therefore, we cannot remain at what has been achieved so far. In the near future, we will start developing a new document on the development of cybersecurity in Kazakhstan.
Kazakhstan uses the ITU Global Cybersecurity Index as a metric for progress in implementing the Cybersecurity Framework. Why did you choose the Global Cybersecurity Index and what advantages do you see in using it?
To be honest, at the beginning of the development of the draft Concept, we did not know about the existence of such an index, probably because the first report was published in 2016. As I said earlier, after the public discussion of the Concept, we received proposals. Among other things, it was proposed to use the ITU Global Cybersecurity Index as one of the main indicators. After studying the indicators and the methodology for calculating the GCI and the rating of Kazakhstan (at that time, the 23rd group place which ranked us at the 103rd place among 194 countries), we decided to use the GCI as the main indicator.
GCI has undoubtedly made a positive impact on the development of cybersecurity in Kazakhstan. The GCI criteria cover the main aspects of cybersecurity: legal, technical, organizational measures, capacity building and cooperation. This helps us keep an eye on each of these aspects. And most importantly, the use of GCI improved the country's image at the global level due to increase in Kazakhstan's position in the ranking (in just three years, Kazakhstan moved up from 103rd place to the 31st).
According to the GCIv4 report, Kazakhstan scores high on four of the five GCI criteria - legal, technical, organizational and cooperation. How did you manage to achieve this?
This is primarily because the issue of ensuring cybersecurity is one of the priorities for country's leadership. To support our approach a separate body responsibly for cybersecurity was created - the Committee on Information Security tasked to implement state policy in this area, including the development of the cybersecurity market, international cooperation, organizational and technical measures.
Today in Kazakhstan there are about 40 companies dealing with cybersecurity issues, 19 private cyber security operational centers (SOC), 3 computer incident response teams (CERT), 7 private accredited testing laboratories, 8 higher educational institutions and 25 secondary educational institutions. 85 vendors of trusted software and electronics products, as well as a national information security coordination center and an industry information security center (covering the country's financial sector).
Our achievements in the field of cybersecurity became possible only thanks to joint work of government agencies, private companies in the field of IT and cybersecurity, specialized public associations and experts.
According to the GCIv4 report, Kazakhstan also has a high ranking on capacity building criteria, but the report identifies this area as requiring further development. Do you plan to work in this direction in the future? If so, what tasks do you set for yourself?
Undoubtedly, we will continue to work to strengthen Kazakhstan's position in this direction. After each ITU report, we do our homework, analyze the indicators according to the criteria where we have a lower GCI score.
We will intensify efforts to educate the public about cybersecurity threats. Work has already begun on the legal consolidation of the functions and tasks of the inspector in the field of information security (individuals or individual entrepreneurs who will be able to provide various services in the field of cybersecurity), to determine the functions and tasks of the BugBounty sites (introduced as a tool for public control over the state of cybersecurity of informatization objects, including critical ones).
In addition, on behalf of the President of the Republic of Kazakhstan, our Ministry of Digital Development is working to develop domestic production of ICT equipment and software, as well as to create conditions for the development of domestic solutions.
Cybersecurity is one of the key areas of ITU's work in the CIS Region. Cybersecurity and personal data protection issues have been proposed as a priority area of one of the regional initiatives of the CIS countries, which will be approved at the upcoming World Telecommunication Development Conference. We will be glad to hear your suggestions for the development of this area.
When looking into the topic of personal data protection, we would propose to take into account the following evaluation criteria:
- existence of a legislative and regulatory frameworks related to personal data and their protection;
- existence of state structures dealing with protection of personal data and rights of subjects of personal data;
- level of public awareness about protection of rights and freedoms in collection and processing of personal data;
- carrying out technical and organizational measures aimed at preventing leakage of personal data, and ensuring transparency and legitimacy of procedures for data collection;
- existence of administrative and criminal liability for illegal actions with personal data and non-compliance with measures to protect them;
- implementation of state control over the legitimacy of collection, processing of personal data and the proper implementation of measures to protect them.
We are grateful to the ITU team and, in particular, to the ITU Regional Office, especially Farid Nakhli, for their support in the development of cybersecurity in Kazakhstan.
The ITU Regional Office for the CIS Region, in turn, wishes the Communications Administration of Kazakhstan success in implementing the Cybersecurity Concept and strengthening the country's position on the world stage.
|
