Professional Documents
Culture Documents
Abstract-The National Cyberspace Security Strategy of the Islamic Republic of Iran has been recently approved.
Two other initial experiences in this regard are the documents published by Finland and the United States
governments. In this paper, we examine and compare these three national information security strategies. For this
purpose, we first briefly review the process of achieving the related strategies in these countries as well as the
contents of each strategy, and then in a comparative examination, their common features and their differences are
identified. The strategies are compared along with their motivation, their way of formulation, the strategy
architectures and models, the major orientation of each strategy, and the executive organization considered for
strategy implementation.
Executors Coordinators
Lead
Agencies ISACs
Finland US Iran
Goal Preliminary Studies
Definition Preliminary Studies Preliminary Studies
Figure 2: Comparative models of the security strategy planning in Finland, US and Iran
In the second phase of the strategy planning process, that the US’s motivation of planning the strategy
the desired goal which is defined in the form of is to provide the national security (particularly
vision, strategic objectives, etc is more explained and when we see that the strategy has been presented
broken hierarchically. In the Finland’s model, the after the events of September 11, 2001), hence
derived vision has been broken into five main there is a especial emphasize in the US’s strategy
policies, then the objectives of each policy as well as on providing readiness for interaction against the
the required measures for each objective has been cyberspace security risks. While the Finland’s
explained. In the US model, three strategic objectives strategy motivation is “national development and
is broken into five priorities which have been detailed competitiveness”. On the other hand, the Iran’s
in turn. In addition, along with determining different motivation for planning the strategy is something
levels of information security in the society, the in the middle. Despite the Iran’s strategy has been
importance of priorities for each level has been provided in calmer conditions than the US, but in
decided and discussed separately. In the Iran’s model, compare with the Finland’s strategy, the
after exact explanation of the vision in form of high- apprehension of the newly arisen threats have
level policies and objectives, six main strategies and prevalence over the attractions of the newly
their corresponding measures have been enumerated. appeared opportunities. In this order, we can say
that the Iran’s motivation for planning the strategy
The last stage of the strategy planning is the planning
is “to protect the national profits in the
of its implementation. In the Finland’s model, as
information age”. So the general nature of the
mentioned before, the different roles in
strategies for US, Finland, and Iran are defensive,
implementation of the strategy as well as their
developmental, and protective in order.
responsibilities regarding measures, and the
implementation schedules have been determined. In • Proposing and planning of all three strategies are
the US model, in this phase, a strong joint structure of originated from the highest executive positions in
public and private sections including both executors the country. The US’s strategy has been planned
and coordinators are predicted to implement the by the President's Critical Infrastructure
strategy. Department of Defense(DoD) has the key Protection Board (PCIB), the Finland’s strategy
role in this composed structure. Furthermore a set of has been developed by the Advisory Committee
guiding principals has been proposed to assist better for Information Security (ACIS) in the Finland’s
putting the strategy into effect. Government, and the Iran’s strategy has been
derived by the High Council of Cyberspace
In the Iran’s model, the executive responsibility to
Security (HCCS) under direction of the first vice
implement the strategy is divided into the present
president.
governmental organizations regarding their current
role or their role in the new conditions. Regarding the • In the US’s strategy, the executive direction is
large number of executor organizations, the required mainly assigned to the DHS (a newly founded
staff and support responsibilities have been assigned ministry) along with a joint structure of the public
to the Management and Planning Organization and private section, while in the Finland’s
(which is also responsible for adjustment and strategy, the Advisory Committee along with
execution of the national five-year development various existing government organizations is in
plans). The only newly created organization is the charge of implementing the strategy. For the
secretariat of High Council of Cyberspace Security Iran’s strategy this duty has been shared between
which is responsible for coordination between different existing government organizations
engaged organizations. In addition, at the end of the under supervision of the Management and
strategy document as the required guidelines and Planning Organization and the HCCS.
execution plans, it has been emphasized on using Table 1 shows the summary of comparisons between
scientific and experienced methods, transparent the security strategies of Finland, US, and Iran.
determination of responsibilities and authorities, and
exact scheduling.
In addition to the above structural comparison, we can 6. CONCLUDING REMARKS
compare the strategies regarding their content: The goal of this paper was to examine the national
• The general viewpoint in the light of US strategy level information security strategies, their main
is “to secure the cyberspace”, while for the elements and their planning process. There are lots of
Finland’s strategy, it is to achieve an information- questions which should be correctly answered in this
secure society. The Iran’s strategy viewpoint is to regard. Looking for the right initial view of the
safeguard the national jurisdiction and authority. problem, the starting point and the turning points of
Since the cyberspace is not bounded to the the study, main methods and tools for the study, scale
geographical boundaries and it can encompass all and duration of the study, the required detailing level,
the world, we can better understand the executive aspects and so on, all are the typical
differences between the viewpoints. questions which should be answered appropriately.
• It can be understood from the strategies contests
Table 1: The comparison summary
Motivation National Development and Protecting National Security Protection of the national profits
Competitiveness in the information age
Strategy nature Developmental Defensive Protective
Advisory Committee for President's Critical High Council of Cyberspace
Information Security (ACIS) Infrastructure Protection Security
Strategy owner
in the Finland’s Government Board
Main strategy Existing government Department of Homeland Existing government
executor organizations Security organizations
- International and - A national cyberspace - Securing the critical
national cooperation security response system infrastructures against
- Supporting the - A national cyberspace electronic attacks
development and security threat and - Creation and development
competitiveness of vulnerability reduction of nation-wide cyberspace
society program security systems
- Improving information - A national cyberspace - Health provision and
security risk management security awareness and prevention of the content
Policies (FN)/ - Safeguarding the training program related risks in cyberspace
Priorities(US)/ fundamental rights of the - Securing governments’ - Strengthening the security
Strategies (IR) individual cyberspace industry and expanding the
- Improving information - National security and cyberspace security related
security awareness and international cyberspace services and products
competence security cooperation - Support of research and
promotion of cyberspace
security related awareness,
knowledge and skills
- Promotion of national,
regional and international
cooperation in cyberspace
security
Our method in this paper was to examine and assignment are considered. In addition to the
compare three experiences reported during the recent comparison of the strategies structures and their
years in Finland, United States, and Iran. For this planning process, we compared them from their
purpose, at first we briefly reviewed the process of content viewpoint. We saw that how the special
achieving the related strategies in these countries conditions and temporal/spatial circumstances of a
separately based on their available documents. After country influences on the vision, motivation, nature
that, in a comparative examination, their common and even the method of implementation of the
features as well as their differences was identified. strategy.
We show that the planning process to achieve the
national information security can be divided into
three phases of goal definition, strategy definition,
ACKNOWLEDGEMENT
and strategy implementation planning. The outcome Authors should thank the Iranian Telecommunication
of the goal definition phase is the vision. In the Research Center (ITRC) and the PayamPardaz
strategy definition phase, after traversing the Company for their assistance in doing this research.
apparently different paths, the optimized method for
putting the extracted vision into effect are extracted.
The extracted method then is explained in form of REFERENCES
strategies, policies/ priorities, and the required 1. Finland’s Advisory Committee for Information
measures. Finally in the last phase, to address the Security, “Information security strategy review
strategy implementation problem, some other issues related to the national information security
such as task planning, scheduling and responsibility strategy”, http://www.ficora.fi/, Jun 2002.
2. Finland advisory committee for information
security, “Information security strategy proposal of
Finland”, http://www.ficora.fi, Nov. 2002.
3. Finland’s Ministry of Transport and
Communications, “Government Resolution on
National Information Security Strategy”, September
2003, Available from
http://www.mintc.fi/www/sivut/dokumentit/viestint
a/tieto/tietoeng.htm
4. T. Casey, “The National Strategy to Secure
Cyberspace: An In-Depth Review”, SANS Institute,
2003.
5. The White House Washington, "The National
Strategy to Secure Cyberspace", Feb 2003.
6. High Council of Cyberspace Security,
“Preliminary Studies for Preparing the National
Cyberspace Security Strategy”, Technical Report,
http://www.afta.ir/ , May 2004 (in Persian).
7. High Council of Cyberspace Security, “National
Cyberspace Security Strategy”, http://www.afta.ir/
January 2005 (in Persian).
8. Organization for Economic Co-operation and
Development (OECD), “Culture of Security -
National implementation initiatives” available from
http://webdomino1.oecd.org/COMNET/STI/IccpSe
cu.nsf/viewHtml/index/$FILE/implementation.htm