Commissioner of Communications: Why cybersecurity is a necessity, not a luxury

For many years cybersecurity was considered a luxury, or more accurately, something that ‘other people’ needed, because ‘it won’t happen to us’.

We are way past this point at this time, and the clichés ring true – it is truly no longer a matter of ‘if’ but ‘when’ you will be hacked. There are endless examples of businesses, governments and even lives jeopardised, just because of the absence of some simple measures. However, our resolution is clear, cybersecurity is no longer a luxury, but a necessity.

Here at the Digital Security Authority (DSA), we understand that it is more crucial than ever to upgrade and maintain high levels of cybersecurity for all operators of essential services and critical information infrastructures in the country, as well as to continuously strive to improve the cybersecurity of our country as a whole. The DSA is an independent state agency, established in April 2018 under the Commissioner of Communications, and holds significant cybersecurity roles at a national level, including that of the Network and Information Systems (NIS) Authority, where it acts as the supervisory body for all of the sectors specified in the NIS Directive. We develop and set the regulatory framework, while at the same time providing tools, training and support to critical entities to assist them in meeting their legal obligations and responsibilities for the implementation of the National Cybersecurity Framework.

The DSA also encompasses the National Computer Security Incident Response Team (CSIRT-CY), which offers proactive services in the form of alerts and warnings to the local and international community, as well as reactive services, such as incident management where needed, to a range of constituents. In tandem, we are building and operating the National Security Operations Centre (SOC) that will support the critical infrastructures through a sophisticated network of sensors, in both the public and private sectors. This will be a significant achievement for Cyprus, as the SOC will operate as a comprehensive early warning system for the country.

Furthermore, the DSA is in the process of establishing the National Cybersecurity Certification Authority (NCCA) based on the provisions of the EU Cybersecurity Act, which aims to establish new cybersecurity certification schemes for products and services, as well as for cloud services and 5G technologies, among others. A very important aspect of these certification schemes is that certification obtained in one European Union country will be recognized throughout the European Union.

The DSA always competes for significant European funding and we have been part of projects amounting to €52 million, with a total of €7 million accounted for the DSA itself in the few years that we have been active. As an example, when the DSA was designated as the National Cybersecurity Coordination Centre (NCC) for Cyprus, we were immediately able to successfully obtain funding for a 2-year programme to build up its necessary capabilities, through a competitive process, being one of the first five countries in the EU to manage this. The NCC acts as the national contact point for the cybersecurity community, with the main objective of ensuring that all stakeholders, including small and medium-sized enterprises (SMEs), have adequate support and access to knowledge, research and development results in the field of cybersecurity. Our vision for Cyprus is to become a leading regional centre in the field of cybersecurity services, while ensuring a reliable and protected cyberspace for all citizens and businesses. The NCC will assess requests by stakeholders established in Cyprus to become members of the European Cybersecurity Community. Members of the Community will have the opportunity to network by getting in touch with key European cybersecurity stakeholders. They will be able to extend their operational cooperation and be recognized at national, EU and international level by unlocking the potential for joint initiatives and projects.

As a hallmark activity, the NCC has already developed a cybersecurity certification scheme that can be implemented by businesses, notably SMEs, which provides a clear statement of the key criteria, procedures and controls, for a minimum baseline level of cybersecurity. The aim is to provide guidance and promote the establishment of basic cyber hygiene in businesses in Cyprus, to enable them to protect themselves from the most common cyber threats. The NCC will even provide financial support to SMEs in the form of subsidy funds to help them implement the scheme, through a structured call for funding proposals that will be announced very soon.

Finally, the NCC will engage with national authorities and stakeholders, as well as regional partners regarding the promotion and dissemination of cybersecurity educational programmes. To this end, having long recognised the importance of capacity building and cooperation – not only nationally but regionally – we are currently developing a regional training facility in our new offices. Its purpose is to accommodate internal trainings for DSA staff, to offer specialized trainings to the operators of critical infrastructures for capacity building and awareness purposes, as well as for the upskilling of other organisations’ ICT staff in cybersecurity. Through our long-established cooperation with a number of countries and organisations in the wider region, we will also be hosting training activities for participants from other countries. Additionally, to further facilitate such capacity building, a Cyber-Range platform has been built with the University of Cyprus, which provides near-real-life experiences to trainees with simulation exercises. We look forward to providing an excellent training environment and making Cyprus a point of reference when it comes to specialized cybersecurity training. We also look forward to continuing the development and improvement of cybersecurity in Cyprus in the years to come. As a preview, I would like to mention that we have recruited 20 new permanent staff members and that 2024 will bring the implementation of the NIS2 Directive, with a significantly wider scope of protection, as well as a new national cybersecurity strategy to be implemented from 2025 onwards.

As a final note, I would like to reiterate that we are not in this alone – we must all understand the vital importance of cybersecurity in our everyday lives. We are constantly building, constantly evolving; but we can only be stronger together.

George Michaelides, Commissioner of Communications, Digital Security Authority (DSA)

This article first appeared in July edition of GOLD magazine. Click here to view it.