You are on page 1of 8

A Comparative Study on National Information Security

Strategies in Finland, US and Iran*


Behrouz Tork Ladani1, Mehdi Berenjkoub2
1
Dept. of Computer Engineering, University of Isfahan, Isfahan, Iran
ladani@eng.ui.ac.ir
2
Dept. of Communication Engineering, Isfahan University of Technology, Isfahan, Iran
brnjkb@cc.iut.ac.ir

Abstract-The National Cyberspace Security Strategy of the Islamic Republic of Iran has been recently approved.
Two other initial experiences in this regard are the documents published by Finland and the United States
governments. In this paper, we examine and compare these three national information security strategies. For this
purpose, we first briefly review the process of achieving the related strategies in these countries as well as the
contents of each strategy, and then in a comparative examination, their common features and their differences are
identified. The strategies are compared along with their motivation, their way of formulation, the strategy
architectures and models, the major orientation of each strategy, and the executive organization considered for
strategy implementation.

Keywords-Information Security Strategy, Cyberspace Security Strategy, Strategy planning

began from October 2003 [6]. In December 2004, the


results of the studies were published for evaluation in
1. INTRODUCTION* the form of a draft strategy named “National
The rapidly changing nature of the information Cyberspace Security Strategy”. Finally in June 2005
technology and affecting whole of the human life on the document was approved by the government of the
the one hand and dramatically rising the motivation Islamic Republic of Iran [7].
of threats in this domain on the other hand, causes the Two initial experiences which are more similar to
information security to become a general requirement Iranian national cyberspace security strategy are the
and a common sense. In this way, the necessity of documents published in this regard by Finland and
both correct assignment of the limited information the United States governments. The Finland’s
security resources and defining the participation national security strategy proposal was published by
boundaries of the society, reveals the importance of an Advisory Committee in the Finland’s government
strategic thinking to find the best answer to this in November 2002 [2] and finally approved in
common request. September 2003 [3]. The United States’ national
In response to the necessity of a national document as strategy to secure cyberspace was also publicized in
an information security top-level promise in different February 2003 by the US government [5]. This
sections of the Iranian society, the preliminary studies strategy was based on the policies after September 11,
to achieve a national information security strategy 2001 to address the new serious vulnerabilities of the
US society to the cyberspace risks.
* Note that until now, a number of other countries
This research has been performed in PayamPardaz
including Australia, Austria, Czech Republic, France,
company with partial support of the Iranian
Telecommunication Research Center (ITRC) Germany, Italy, Netherlands, Norway and Turkey
have published some related documents. The the desired state to be attained by the year 2010 has
Organization for Economic Co-operation and been derived as follows:
Development (OECD) has collected the above
“Finland will be an information-secure society that
corresponding documents in its official web page [8].
everyone can trust in and that enables all parties to
In this paper, in addition to a short review on the manage and communicate information safely”.
national information security strategies of the
Finland, US and Iran, we try to compare them by This vision has been broken down hierarchically to
finding their common properties and aspects as well achieve its five major policies. Then the objectives of
as their differences. To do the job, the strategies are each policy and the required measures for each
compared along with their motivation, their way of objective has been determined [3].
formulation, and the structure and architecture of each The following five policies have been derived from
strategy. Also we analyze the content of each strategy the Finland’s information security vision:
to find their major orientations and the executive 1- International and national cooperation
structures considered for their implementation.
2- Supporting the development and competitiveness
In the rest of paper, first we briefly review the of society
Finland, US and Iran’s national information security
strategies and then we try to compare them. At the 3- Improving information security risk management
end we conclude our discussions. 4- Safeguarding the fundamental rights of the
individuals
5- Improving information security awareness and
2. FINLAND’S NATIONAL INFORMATION competence
SECURITY STRATEGY
For implementing the strategy, it has been planned to
The main studies for drafting the Finland’s national use the existing cooperation frameworks and
information security strategy was started from May organizations. The Government in the highest
2002 by a particular Advisory Committee in the executive level owns the information security strategy
Finland’s government and after about 6 months in and is responsible for its implementation. After that,
November 25,2002 their first proposal was published. the advisory board for information security draws up
After that in September 2003 the modified proposal the national information security strategy proposal,
was approved by the Finland’s government. The main monitors the implementation of the approved strategy
stages in drafting the first proposal has been reported and makes regular proposals for updating the
as follows [1]: strategy. In the third level, various actors including
1- Analysis of the domestic and international the government ministries participate in
development trends in information security – at implementing the strategy. These actors are
first 50 main trends were determined and then responsible for deriving the project details, drawing
from them seven “mega-trends” affecting up the cost-benefit analyses of their projects or
information security were identified. measures, and monitoring the progress of each project
2- Identifying of the threats and opportunities – the in the related domain. Each ministry reports the
seven mega-trends were examined for their owned projects’ progress reports regularly to the
corresponding threats and opportunities for the advisory committee.
Finland society.
3- Prioritizing the mega-trends - The likelihood and 3. US’SNATIONAL STRATEGY TO SECURE
importance of each mega-trend were reevaluated CYBERSPACE
and prioritized.
4- Determining the strategy – based on the above After the September 11, 2001 the US government
studies, the vision (goal) and policies were invested special attention to the national security
subject. In this regard, a new ministry named
formulated and then, objectives outlining the
policies, and the measures to support these Department of Homeland Security or DHS was
objectives, were identified. organized. The information technology, despite its
benefits, is an issue which is considered as the source
5- Defining the strategy’s implementation structure of many vulnerabilities for the United States. Thus, a
– the required organization structure, lot of activities has been started by DHS to reduce
responsibilities, and the measures’ schedules to these kinds of vulnerabilities.
implement the strategy was determined.
The National Strategy to Secure Cyberspace is one of
There is not adequate explanations about the process these efforts to focus on the security of the
of analyzing the threats and opportunities, prioritizing information technology. It was announced in
the mega-trends and finally deriving the strategy. February 2003 by the President's Critical
However, as the result of these analysis, the Finland’s Infrastructure Protection Board. Cyberspace is the
Information Security Vision which sets out succinctly network of information technology infrastructures
composed of all the interconnected computers, scale i.e. home user/small business to the largest scale
servers, routers, switches, and the communication of the global issues. The cyberspace security
channels that allow the critical infrastructures to priorities are different for each level and each level is
work. Cyberspace is considered as the nervous responder to a part of the priorities. In this way, the
system of the United States i.e. the control system of role and responsibility of the entire American society
the country. Internet with all of its vulnerabilities and (and even the global society) to the cyberspace
threats is the core of the US Cyberspace. The entire security priorities has been determined.
society i.e. the federal government, state and local the following six organizing principles has been
governments, the private sector, and the American stated to guide the proper development and
people are influenced by the cyberspace. implementation of the cyberspace security strategy
The following three strategic objectives have been directives:
determined for the National Strategy to Secure • Conducting a national effort
Cyberspace:
• Protecting the privacy and civil liberties
• Preventing cyber attacks against America’s
critical infrastructures • Deriving the strategy by market forces rather than
the government regulation
• Reducing national vulnerability to cyber attacks
• Accountability and responsibility
• Minimizing damage and recovery time from cyber
attacks that do occur • Ensuring Flexibility
• Multi-Year Planning
To achieve the above strategic objectives, the strategy
articulates five priorities including: An adequate organization planning has been
I. A national cyberspace security response system performed to implement the US cyberspace security
strategy. Figure 1 shows the implementation
II. A national cyberspace security threat and
organization of the strategy. The implementation
vulnerability reduction program
structure composed of two parts: the strategy
III. A national cyberspace security awareness and executers and the activity coordinators. The executors
training program themselves are either in the government section or in
IV. Securing governments’ cyberspace the private section. In the government section, the
V. National security and international cyberspace Department of Homeland Security gets the bulk of
security cooperation the responsibility in executing the strategy.
Furthermore six of other government departments are
Cyberspace security requires action on multiple levels listed as the “lead agencies” for executing strategy in
and by a diverse group of actors. So based on the their related specified domains.
above priorities, the cyberspace security community
has been classified in five levels from the smallest

Executors Coordinators

Government Private OSTP OMB


section section

DoJ & FBI DoS & CIA


DHS

Lead
Agencies ISACs

DoT DoH DoE DoA DoD EPA

Figure 1: US cyberspace security strategy implementation organization


In the private section, some special Information community aspects and its position among other
Sharing and Analysis Centers named ISACs [4] have topics
been constituted for each domain. ISACs are industry • Drafting the main strategy titles and the required
sector-driven and limited liability companies. For RFPs
example, there is an ISAC for financial institutions, a
separate ISAC for electric utility companies, and so • A proposal for the strategy’s structure as well as
on. The main responsibility of the ISACs is to suitable organization for preparing the strategy
provide a proper infrastructure for sharing the In addition to the above studies, special working
information related to vulnerabilities and threats, on groups were set up in five areas of defense and
time analysis, and fast awareness to all the engaged national security, infrastructure, business and
domains while protecting the confidentiality of the economy, culture and society, and justice and law to
harmed section. To do this a special secure Cyber address the related issues. Regarding the initial
Warning and Information Network (CWIN) has been studies, the domain experts’ ideas and the summary
designed for communications between ISACs of working group discussions, the strategy vision was
themselves and the ISACs and the DHS. Note that the determined as follows:
DHS has the key role in communication between
ISACs and the other government sections. “Continuing the path toward the twenty-year vision of
the Islamic Republic of Iran, the security of
In the coordinators side, the Office of Science and cyberspace has been provided to safeguard the
Technology Policy (OSTP) coordinates research and national jurisdiction and authority, to prevent threats
development to support critical protection. The Office to the critical infrastructure of the country, and to
of infra-structure Management and Budget (OMB) provide the trust and tranquility of the citizens to do
oversees the implementation of government-wide any legal affairs such as business, social, and
policies, principles, standards, and guidelines for cultural activities”
federal government computer security programs. The
Department of State coordinates international The high level policies to achieve the above vision
outreach on cyber-security. The Director of Central are as follows:
Intelligence is responsible for assessing the foreign • Reliance on the internal capabilities and effort to
threat to U. S. networks and systems. The Department employ the private section
of Justice information (DOJ) and the Federal Bureau
of Investigation (FBI) lead the national effort to • Balance between security, cost, and efficiency
investigate and prosecute cyber-crime. • Centralization in policy-making and
systematization in execution
• Effort to national, regional and international
4. IRAN’S NATIONAL CYBERSPACE
cooperation
SECURITY STRATEGY
Along with the high level policies to achieve the
After reflection of the need for a national information vision, for more clear comprehension of the vision,
security strategy by different executive sections in the the high level strategy objectives have been
country and approving it by a team of related experts, determined as follows:
the Iranian Telecommunication Research Center
(ITRC) initiated a series of preliminary studies for • Safeguarding the religious-national identity and
this purpose in October 2003. At the same time, in the the human values of the society in cyberspace
Iran's fourth five-year development plan the mission • Protection of privacy and legal liabilities
of providing the national document of information • Safeguarding national profits, secrets and
security strategy was assigned to the government. In authority in cyberspace
the January 2004, the High Council of Cyberspace
Security (HCCS) under supervision of the first vice • Protecting the critical infrastructures of the
president was organized and put in charge of directing country against electronic attacks
the preparation the noted strategy. At the end of that • Protection of the natural and spiritual assets,
year, the first draft of the document named “National business secrets, and the private ownership in
Cyberspace Security Strategy” was released for the cyberspace
evaluation by the specialists. Finally in May 2005 the The strategies to achieve the vision with respect to the
strategy was approved by the government and above high level objectives are considered as follows:
published as a part of the fourth development plan
documents. • Securing the critical infrastructures of the country
against electronic attacks
The titles of the preliminary studies performed was as
follows: • Creation and development of nation-wide
cyberspace security systems
• A review on the related national and international
activities • Health provision and prevention of the content
related risks in cyberspace
• Analysis of the Iranian information security
• Strengthening the security industry and expanding 5. COMPARISON OF THE STRATEGIES
the cyberspace security related services and
products In figure 2, the general models of the security strategy
planning in Finland, US and Iran are shown. The
• Support of research and promotion of cyberspace Figure shows the similar aspects of the three
security related awareness, knowledge and skills strategies as well as their differences. The total
• Promotion of national, regional and international process of strategy development for all of them can
cooperation in cyberspace security be divided into three phases: Goal definition, Strategy
definition, and Strategy implementation planning.
To implement the above strategies, a series of
measures for each strategy as well as the organizations The Goal definition phase is of high importance and
that should be in charge of them have been determined. relies on the results of initial studies as well as the
The details of the measures and the corresponding knowledge and expertise of the strategy planning team.
responsibilities has been described in [7]. According to the classical models of the strategic
planning, the studies in this phase include internal and
To facilitate the implementation of the measures and
external analysis to understand the existing strengths
for better coordination between the executive
and weaknesses as well as opportunities and threats
organizations, a list of guidelines have been
(SWOT) in the national level information security. In
provided. Some of them are as follows:
the initial study report of the Finland’s Advisory
• Reliance on scientific methods on performing the Committee, mainly the information security threats in
tasks the Finland society and the corresponding performed
• Emphasize on maximum transparency in design countermeasures has been analyzed [2]. Using the
and implementation results of these studies, the Finland’s vision of the
information security in 2010 has been derived, while in
• Avoidance from creation of extra additive and
the US strategy model, as mentioned before, three
parallel organizations
strategic objectives have been derived as the results of
• Exact clarification of the responsibilities and the similar studies. In the Iran’s strategy document
authorities of the organizations in cyberspace also, the Goal definition phase has been performed
security systems using a series of studies [6] as well as setting up some
In the last section of the strategy document titled special workgroups for analysis and exact
“executive arrangements”, the assigned tasks and identification of the SWOT. In the Iran’s strategy, The
missions of the executive organizations (i.e. the vision has been further explained by a series of high
government departments) as well as the monitoring, level objectives.
auditing, support, and staff organizations (i.e. HCCS
secretariat and Department of management and
planning) have been described.

Finland US Iran
Goal Preliminary Studies
Definition Preliminary Studies Preliminary Studies

Defining the Vision

Defining the Vision Defining Strategic Objectives


What is the problem? High level Objectives

Security Policies High level Policies


Cyberspace Levels Security Priorities
Strategy
Definition
Policies Objectives Priority Details Strategies

Measures Security Priorities for Cyberspace Levels Measures


What Is the solution?

Setting up the Roles for


Strategy Implementing the Strategy Setting up the Roles for Strategy Guiding
Setting up an strong public- Strategy Guiding
Implementation Principals Implementing the Strategy Principals
private structure for
Planning
implementing the strategy
Responsibilities and Schedules
for Implementing Measures

How can we implement


the solution?

Figure 2: Comparative models of the security strategy planning in Finland, US and Iran
In the second phase of the strategy planning process, that the US’s motivation of planning the strategy
the desired goal which is defined in the form of is to provide the national security (particularly
vision, strategic objectives, etc is more explained and when we see that the strategy has been presented
broken hierarchically. In the Finland’s model, the after the events of September 11, 2001), hence
derived vision has been broken into five main there is a especial emphasize in the US’s strategy
policies, then the objectives of each policy as well as on providing readiness for interaction against the
the required measures for each objective has been cyberspace security risks. While the Finland’s
explained. In the US model, three strategic objectives strategy motivation is “national development and
is broken into five priorities which have been detailed competitiveness”. On the other hand, the Iran’s
in turn. In addition, along with determining different motivation for planning the strategy is something
levels of information security in the society, the in the middle. Despite the Iran’s strategy has been
importance of priorities for each level has been provided in calmer conditions than the US, but in
decided and discussed separately. In the Iran’s model, compare with the Finland’s strategy, the
after exact explanation of the vision in form of high- apprehension of the newly arisen threats have
level policies and objectives, six main strategies and prevalence over the attractions of the newly
their corresponding measures have been enumerated. appeared opportunities. In this order, we can say
that the Iran’s motivation for planning the strategy
The last stage of the strategy planning is the planning
is “to protect the national profits in the
of its implementation. In the Finland’s model, as
information age”. So the general nature of the
mentioned before, the different roles in
strategies for US, Finland, and Iran are defensive,
implementation of the strategy as well as their
developmental, and protective in order.
responsibilities regarding measures, and the
implementation schedules have been determined. In • Proposing and planning of all three strategies are
the US model, in this phase, a strong joint structure of originated from the highest executive positions in
public and private sections including both executors the country. The US’s strategy has been planned
and coordinators are predicted to implement the by the President's Critical Infrastructure
strategy. Department of Defense(DoD) has the key Protection Board (PCIB), the Finland’s strategy
role in this composed structure. Furthermore a set of has been developed by the Advisory Committee
guiding principals has been proposed to assist better for Information Security (ACIS) in the Finland’s
putting the strategy into effect. Government, and the Iran’s strategy has been
derived by the High Council of Cyberspace
In the Iran’s model, the executive responsibility to
Security (HCCS) under direction of the first vice
implement the strategy is divided into the present
president.
governmental organizations regarding their current
role or their role in the new conditions. Regarding the • In the US’s strategy, the executive direction is
large number of executor organizations, the required mainly assigned to the DHS (a newly founded
staff and support responsibilities have been assigned ministry) along with a joint structure of the public
to the Management and Planning Organization and private section, while in the Finland’s
(which is also responsible for adjustment and strategy, the Advisory Committee along with
execution of the national five-year development various existing government organizations is in
plans). The only newly created organization is the charge of implementing the strategy. For the
secretariat of High Council of Cyberspace Security Iran’s strategy this duty has been shared between
which is responsible for coordination between different existing government organizations
engaged organizations. In addition, at the end of the under supervision of the Management and
strategy document as the required guidelines and Planning Organization and the HCCS.
execution plans, it has been emphasized on using Table 1 shows the summary of comparisons between
scientific and experienced methods, transparent the security strategies of Finland, US, and Iran.
determination of responsibilities and authorities, and
exact scheduling.
In addition to the above structural comparison, we can 6. CONCLUDING REMARKS
compare the strategies regarding their content: The goal of this paper was to examine the national
• The general viewpoint in the light of US strategy level information security strategies, their main
is “to secure the cyberspace”, while for the elements and their planning process. There are lots of
Finland’s strategy, it is to achieve an information- questions which should be correctly answered in this
secure society. The Iran’s strategy viewpoint is to regard. Looking for the right initial view of the
safeguard the national jurisdiction and authority. problem, the starting point and the turning points of
Since the cyberspace is not bounded to the the study, main methods and tools for the study, scale
geographical boundaries and it can encompass all and duration of the study, the required detailing level,
the world, we can better understand the executive aspects and so on, all are the typical
differences between the viewpoints. questions which should be answered appropriately.
• It can be understood from the strategies contests
Table 1: The comparison summary

Finland United States Iran

Information-Secure Society Securing the Cyberspace Safeguarding the national


Vision
jurisdiction and authority

Motivation National Development and Protecting National Security Protection of the national profits
Competitiveness in the information age
Strategy nature Developmental Defensive Protective
Advisory Committee for President's Critical High Council of Cyberspace
Information Security (ACIS) Infrastructure Protection Security
Strategy owner
in the Finland’s Government Board
Main strategy Existing government Department of Homeland Existing government
executor organizations Security organizations
- International and - A national cyberspace - Securing the critical
national cooperation security response system infrastructures against
- Supporting the - A national cyberspace electronic attacks
development and security threat and - Creation and development
competitiveness of vulnerability reduction of nation-wide cyberspace
society program security systems
- Improving information - A national cyberspace - Health provision and
security risk management security awareness and prevention of the content
Policies (FN)/ - Safeguarding the training program related risks in cyberspace
Priorities(US)/ fundamental rights of the - Securing governments’ - Strengthening the security
Strategies (IR) individual cyberspace industry and expanding the
- Improving information - National security and cyberspace security related
security awareness and international cyberspace services and products
competence security cooperation - Support of research and
promotion of cyberspace
security related awareness,
knowledge and skills
- Promotion of national,
regional and international
cooperation in cyberspace
security

Our method in this paper was to examine and assignment are considered. In addition to the
compare three experiences reported during the recent comparison of the strategies structures and their
years in Finland, United States, and Iran. For this planning process, we compared them from their
purpose, at first we briefly reviewed the process of content viewpoint. We saw that how the special
achieving the related strategies in these countries conditions and temporal/spatial circumstances of a
separately based on their available documents. After country influences on the vision, motivation, nature
that, in a comparative examination, their common and even the method of implementation of the
features as well as their differences was identified. strategy.
We show that the planning process to achieve the
national information security can be divided into
three phases of goal definition, strategy definition,
ACKNOWLEDGEMENT
and strategy implementation planning. The outcome Authors should thank the Iranian Telecommunication
of the goal definition phase is the vision. In the Research Center (ITRC) and the PayamPardaz
strategy definition phase, after traversing the Company for their assistance in doing this research.
apparently different paths, the optimized method for
putting the extracted vision into effect are extracted.
The extracted method then is explained in form of REFERENCES
strategies, policies/ priorities, and the required 1. Finland’s Advisory Committee for Information
measures. Finally in the last phase, to address the Security, “Information security strategy review
strategy implementation problem, some other issues related to the national information security
such as task planning, scheduling and responsibility strategy”, http://www.ficora.fi/, Jun 2002.
2. Finland advisory committee for information
security, “Information security strategy proposal of
Finland”, http://www.ficora.fi, Nov. 2002.
3. Finland’s Ministry of Transport and
Communications, “Government Resolution on
National Information Security Strategy”, September
2003, Available from
http://www.mintc.fi/www/sivut/dokumentit/viestint
a/tieto/tietoeng.htm
4. T. Casey, “The National Strategy to Secure
Cyberspace: An In-Depth Review”, SANS Institute,
2003.
5. The White House Washington, "The National
Strategy to Secure Cyberspace", Feb 2003.
6. High Council of Cyberspace Security,
“Preliminary Studies for Preparing the National
Cyberspace Security Strategy”, Technical Report,
http://www.afta.ir/ , May 2004 (in Persian).
7. High Council of Cyberspace Security, “National
Cyberspace Security Strategy”, http://www.afta.ir/
January 2005 (in Persian).
8. Organization for Economic Co-operation and
Development (OECD), “Culture of Security -
National implementation initiatives” available from
http://webdomino1.oecd.org/COMNET/STI/IccpSe
cu.nsf/viewHtml/index/$FILE/implementation.htm

You might also like