Austrian National Cyber Security Strategy (ANCSS)
- Data di inizio: 2013
The Austrian Government passed the Austrian National Cyber Security Strategy in 2013. It is a comprehensive and proactive concept for securing the Austrian interests in cyber-space. The strategy builds on and intends to coordinate existing institutions, players and structures (public and public-private partnerships). It brings them together for covering strategical, operational, steering, consulting and countering issues. The new form of governance aims at allowing fast exchange in case of cyber-threats and intends to facilitate a coordinated implementation of counter-measures. Furthermore, the involved stakeholders also provide a periodical overview of the cyber-security situation and coordinate the national cyber-crisis-management.
Its fundamental principles are: 1. rule of law, 2. subsidiarity, 3. self-regulation, 4. proportionality.
The overall coordination is done by the cross-ministerial group (IKDOK), which consists of representatives from the BKA/GovCERT, Ministry of the Interior and the Ministry of Defense.
The implementation is coordinated by the Cyber Security Steering Group (CSS), which is divided into different work groups that are responsible for the implementation of the following fields of action:
Its fields of action include:
1. structures and processes: the development of an overall is done by the CSS
2. governance: the working group provided a report for defining the frame for the implementation of the DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning measures for a high common level of security of network and information systems across the Union.
3. cooperation between state, economy and society: the Cyber Security Platform (CSP) was implemented as a frame for existing cooperation formats (such as Austrian Trust Circle, KSÖ Cyber Sicherheit Forum, A-SIT, CSA). It aims at information exchange, awareness and training.
4. protection of critical infrastructures: On November 4, the Austrian Government passed the Austrian Program for Securing Critical Infrastructure (APCIP). It aims at building security partnerships with strategically relevant companies, which run critical infrastructure.
5. awareness and training: several platforms and trainings have been implemented, which are focusing on digital education, prevention and online security and are mainly targeting young people and teachers.
6. research and development: cyber security is emphasized by the involved stakeholders in both the national research program KIRAS as well as for H2020 or the future FP9 program.
7. international cooperation: cyber security is addressed actively by Austria in the institutions of the EU, the UN, OSZE, NATO, OECD etc. as well as in multilateral platforms (Global Conference on Cyberspace, Central European Cyber Security Platform, Freedom Online Coalition). The international activities are coordinated by the Federal Ministry for Europe, Integration and Foreign Affairs.
• Guarantee the availability, reliability and confidentiality of data exchange as well as the integrity of data themselves.
• Work on a secure, resilient and reliable cyber space that is capable of resisting risks, absorbing shocks and adjusting to a changed environment.
• Ensure that the (critical) ICT infrastructures of Austria are secure and resilient to threats.
• Facilitate the cooperation among governmental bodies as well as with partners from the private sector.
• Protect the legal asset “cyber security”
• Building a “culture of cyber security”.
• Strengthen existing cooperation and build new initiatives.
• Act as a pioneer in implementing measures to secure the digital society.
• Offer high levels of availability, integrity and confidentiality of required ICT infrastructures in order to enhance Austria’s attractiveness as a business location.
• Play an active role in international cooperation at European and global level, particularly by exchanging information, formulating international strategies, developing voluntary schemes and legally binding regulations, prosecuting criminal cases, holding transnational exercises and conducting cooperation projects.
• Develop a secure e-government system.
• Cooperate with Austrian companies to support them in protecting the integrity of their own applications as well as the identity and privacy of their customers.
• Increase the awareness and the capabilities among the Austrian population regarding the individual’s personal responsibility in cyber space.
Due to the organisational structure, which was set up for implementing the ANCSS, a long-term sustainability is ensured. Despite changes of the government (which continuously changes the political landscape), it is very likely that the cooperation structure (build based on the ANCSS) remains.
Basically, the strategy can be transferred to other contexts – of course given the existence of similar governmental bodies and state institutions, which are working together under the umbrella of the ANCSS.
For each field of action defined in the ANCSS, between one to five measures for evaluation were included. Furthermore, the implementation group is bi-annually delivering an “implementation report” to the Austrian government (for 2015: https://www.onlinesicherheit.gv.at/service/initiativen_und_angebote/koordination_und_strategie/OeSCS_Bericht_2015.pdf?5wipd0).
Cooperation is established across ministries, with the state institutions and with the private sector.
The following players are involved in the implementation:
• Law Enforcement
• Ministries / State Institutions
• Governmental institutions
• Public Private Partnerships
|Pubblico di riferimento|
|Punti di intervento|
|Rilevanza della valutazione|
|Impatto della valutazione|
|Efficacia della valutazione|
|Efficienza della valutazione|
|Inclusività della valutazione|
|Sostenibilità della valutazione|
As the implementation of the ANCSS is still in progress and as it is considered as a permanent action, the objectives are still valid.
The activities and outputs match with the overall goals so far, but as the ANCSS is a long-term perspective, it will be crucial to follow up on it, for example by going through the next implementation report (2017).
Some of the expected impacts were certainly achieved, while others – such as awareness creation – need more time and continuity.
On the one hand, it is positive that existing resources are bundled and ministries are cooperating for pushing the implementation of the ANCSS forward. On the other hand, as many different players are involved, underlying interests might also play a role regarding reach of the suggestions.
As the coordination of several governmental and non-governmental bodies especially on such a level is a rather complex process, it is clear that the processes are taking time. Nevertheless, the involved stakeholders already implemented several activities and produced relevant output. The cost efficiency is rather high, because already existing resources are bundled for the strategy implementation, which in the end also safes costs (as not each player needs to start from scratch but can build on existing knowledge and support).
While some of the actions are in progress, several actions have been successfully carried out. The implementation groups have proposed a report for the implementation of the EU-Directive 2016/1148. A Cyber Security Platform (CSP) was installed and the Austrian Program for Securing Critical Infrastructure (APCIP) has been implemented. Furthermore, several platforms were installed or adapted and are focusing on digital education, prevention and online security for young people and teachers.
As for the issue of research and development, the national security research program KIRAS has a strong focus on cyber-issues. However, it already had such a focus since a few years. Hence, the impact of the ANCSS is not really clear. the same holds true for the efforts towards to the EU programs such as H2020, where the impact of the ANCSS on the topic calls is not clear.
Further activities such as those related to the international cooperation, cannot be evaluated due to a lack of information.
As the activities based on the ANSCC are intended as long-term actions, it is expected that they are sustainable. However, changes in the government – which results in changing personnel of the ministries – might affect the actual implementation.