NBU-National Security Authority

The establishment of the National Security Authority has historical connections to the negotiations for Slovakia’s accession into the European Union (EU) and the North Atlantic Treaty Organisation (NATO), which required the creation of an independent institution responsible for protecting classified information and cryptographic protection of information. The Authority commenced its activities on November 1st, 2001 and smoothly took over the activities from its predecessor, the Ministry of Interior of the Slovak Republic.
The Authority has been assigned with new tasks and roles gradually over time. The Authority expanded its activities in 2002 to include electronic signature, since 2015, it has provided the Judicial Council of the Slovak Republic with dossiers used in the vetting process for judicial eligibility and in 2016 the Authority assumed responsibility for cyber security matters in Slovakia.
The most recent change was brought on by the European Regulation concerning electronic identification and trust services (eIDAS) and the Act on Trust Services, with accordance to the use of the electronic signature and other related services, covered by the summary term “trust services”.

The National Security Authority is the central government body for Protection of Classified Information, Cryptographic Services, Trust Services and Cyber Security. The Authority, as the central government body for the protection of classified information, conducts security clearance screenings of natural persons and legal entities, secures the protection of foreign information and functions. Cyber security is a major competency that was assigned to the Authority effective January 1st, 2016. However, the Authority’s activities in this area began long before the official handover date.

Authority, as the central government body, is in the performance of its duties governed by Constitution of the Slovak Republic, constitutional laws, legally binding acts of the European Union, international treaties binding the Slovak Republic, laws and other generally binding legal regulation, resolutions of the Government of the Slovak Republic, its Status and organizational regulations and other internal regulation of the Authority. The most relevant are the laws regulating the area of protection of classified information, cryptographic protection of information and trust services and the Act on Cyber Security.

Similar authorities are functioning in other member states of the EU.

The Authority annually submits Activity Report of the National Security Authority to the Special Audit Committee of the National Council of the Slovak Republic for the control of the activities. The Office is also the subject of regular NATO and EU inspections.

International collaboration immediately followed the establishment of the Authority focused on preparations for Slovakia’s accession to NATO and the EU. The Authority kicked off bilateral collaboration with NATO and EU Member States with the objective of creating conditions for mutual exchange and protection of classified information and collaboration in the performance of security clearance screening activities.
Changes involved also bilateral cooperation. The Authority transitioned from an aid beneficiary to an aid provider to countries expressing interest in partnership or membership in NATO and the EU. The Authority began providing specialised and material aid, in particular to the countries of the Western Balkans. In addition to assisting these countries, the Authority continued to deepen collaboration with non-member states of the EU and NATO.
The list of actors includes the Slovak police force, Slovak Information Service, Ministry of Interior, NATO – NOS, ESCD, GSC, HWG on Cyber Security.

8.793.648,00 € for the year 2017

National security authority. Accessed September 12, 2017. http://www.nbusr.sk/en/index.html

http://www.nbusr.sk

Classified information is a vital information for the country, that must be protected against disclosure, misuse, damage, unauthorised duplication, destruction, loss or theft. In accordance with the Classified Information Protection Concept, which the Authority completed in 2007, is the protection of the classified information in accordance of its security classification level focused on mitigating security risks to an acceptable level. These risks change dynamically depending on changes in the security environment. The set of defined classified information is therefore concentrated into lists of classified information.
The dependency of today’s society on information and communication technologies increases every day; over the past decade, these have changed and impacted almost every aspect of our lives. Human activities are slowly but surely shifting, to a large extent, from physical space to cyberspace. On the one hand, information and communication technologies make our lives easier, speeding up communication and access to information and services. On the other hand, however, the increasing dependency of the public and private sectors on these technologies, if insufficiently protected, renders them more vulnerable, making cyber security one of the most important challenges the state has to face today. Globalism and the significance of impacts of potential cyber attacks have resulted in the need for a conceptual and coordinated control of protection and defence of cyber space.

Performing security clearance screening of natural persons is one of the key activities of the Authority. In 2016, the Authority issued 3901 clearance certificates for classified information, of which 1533 for the Defence Department.
From 2015, the Office handles requests from the Judicial Council of the Slovak Republic for evaluation of material on eligibility of candidates for judges. In 2016, the Office provided the Judicial Council of the Slovak Republic material with evaluation of 55 candidates (51 in 2015).
In relation to classified information of NATO and the EU, 3088 persons were granted the certificate in 2016 (1518 NATO certificates and 1570 EU certificates). The Office has also issued three NATO ATOMAL certificates that justify access to NATO Strategic Nuclear Deterrence information and are issued to a narrow circle of people.
Currently the Authority is working on drafting of the Act on Cyber Security to comprehensively cover cyber and information security, introduce basic security requirements and other measures critical for coordinating the protection of information, communication and management systems. At the same time, the European NIS Directive on network and information security is being transposed into Slovak legislative.

The authority in terms of the management of funds respects the principles of economy, efficiency and effectiveness and is governed in particular by the Act on the Financial Rules of the Public Administration, the Resolutions of the Government of the Slovak Republic and the Methodical Instructions of the Ministry of Finance of the Slovak Republic.

The Authority conducts security clearance screenings for natural persons and legal entities (entrepreneurs). The four-level system of classification for classified information corresponds to the four-level system of security clearance screenings
The Authority issues clearance certificates for classified information and industrial security confirmation to entrepreneurs.
In relation to classified EU or NATO information, the Authority issues security clearance certificates to citizens and industrial security certificates to entrepreneurs for the accessibility to the classified EU and NATO information.
The Slovak government supported the Authority’s ambitions in 2014 with the approval of the Preparations of the Slovak Republic to Fulfil Cyber Defence Tasks document and in particular a year later with the adoption of a key strategic document, the Cyber Security Strategy of the Slovak Republic for 2015 – 2020, which lays out an institutional framework containing the Authority as the central body for cyber security. Specific proposals from the strategy have been transposed into amendments of the Act on Competencies, which resulted in the Authority becoming the central government body for cyber security.
Developments continued in 2016. A second-generation Memorandum of Understanding between NATO and Slovakia was signed in January and in March the Slovak government approved the Action Plan for Implementing the Strategy, which defines the methods and tools Slovakia will use to attempt and mitigate the risks and threats originating from cyberspace and adopt legislative, technical and coordinating measures.

In 2016, SK CSIRC published and distributed 72 national (bulletin, caution, appeal, report, sitrep) documents on cyber issues and 11 cyber security reports in the Slovak Republic for the Cyber Security Committee. In addition, it also distributed 180 EU and NATO cyber issues.
In order to raise awareness of cyber security, the Authority organized, participated in the organization of workshops, seminars and conferences.
The Authority also focused on enhancing the expertise of members of the Cyber Security Office. In cooperation with CSIRT.SK the Authority organized training sessions as well as training on potential threats faced by countries under the presidency of the EU Council. The demonstrations of the existing threats were presented and possible defence mechanisms against them.

The Authority became the National Authority for Cyber Security on January 1st, 2016. As with the protection of classified information, the Authority represents the primary contact point for NATO and the EU. The activities of the Authority’s foreign offices were modified, tasking seconded officers to represent the Authority in working groups and committees focused on the issue of cyber security.
Taking into consideration the importance of this area, the Authority signed a Memorandum of Understanding with NATO in the first half of 2016 concerning cyber defence collaboration and joined into a public-private partnership initiative involving the European Commission, the European Cyber Security Organisation, of which the Authority became a founding member.
At the bilateral level, cyber security collaboration was initiated with select countries, which represents the Authority’s primary activity in the coming years.