Implementing Kazakhstan’s cybersecurity concept
uslan Kenzhebekovich Abdikalikov, Chair of the Information Security Committee formed under the Republic of Kazakhstan’s Ministry of Digital Development, Innovation and Aerospace Industry, spoke recently with the ITU Regional Office for the CIS (Commonwealth of Independent States) Region.
Kazakhstan has approved and started implementing its national “Cyber Shield of Kazakhstan” cybersecurity concept. What were the preconditions and the development process for this plan?
New technologies and electronic services have become an integral part of daily life.
As we become more dependent on information and communication technologies (ICTs), the protection and availability of these technologies has become a major concern for the state.
In January 2017, President Nursultan Nazarbayev instructed the government to create the Cyber Shield of Kazakhstan. Five months later, the government approved the concept.
What are the main provisions, and which organizations took part in creating the plan?
Initially, the ministry produced a draft concept based on the country’s existing cybersecurity situation. However, this considered only the interests of the state. Public discussions then took place, and the draft concept was criticized among professionals as too “one-sided”.
At the same time, we were pleasantly surprised to find a pool of cybersecurity professionals in Kazakhstan ready to do something, and we work together with them to this day.
A working group was created including parliamentarians, representatives of state bodies, professional and industry associations, higher educational institutions, and the industry, to analyse the status of informatization at government agencies, automation of public services, prospects for the digital economy, and modernization of production processes, aiming to expand the scope for ICT services. It also studied a wealth of international experience in protecting national ICT infrastructure.
The resulting document is now being implemented. Along with defining state policy on ICT protection, the plan outlines measures to boost a legal and industrial culture of cybersecurity. It improves the country’s readiness to prevent and respond to incidents, as well as providing basic definitions and explanations to raise general awareness about threats.
What problems did you identify, and how are those being solved?
Key problems we encountered include:
- Insufficient awareness among citizens about cybersecurity threats.
- A shortage of information security professionals.
- Inadequate information protection infrastructure.
- Neglect by organizations of information security requirements.
- Limited trust in the public sector, beyond a few common software products.
- Risks associated with the provision of electronic public services.
We recommend that countries analyse their current cybersecurity situation, identify key challenges and threats, learn from the experience of other countries, outline objectives, and formulate an action plan.
Kazakhstan is ready to share its own experience in a bilateral or multilateral format.
The continuous development of digital technologies also leads to the emergence of new vulnerabilities and cyber threats. Do you plan to revise the Cyber Shield concept?
The concept was approved for five years – the medium-term. Some activities not reflected there are included in the Digital Kazakhstan programme, the National Security Strategy, or intradepartmental plans of state bodies.
But we understand that with the development of technology, security threats are also progressing.
We will soon start developing a new cybersecurity development document.
Kazakhstan uses the Global Cybersecurity Index – produced by the International Telecommunication Union (ITU) since 2014 – as a metric for progress. What advantages do you see in using it?
Initially, we did not know about the index. But after public discussion of our concept, we received a proposal to follow ITU’s Global Cybersecurity Index (GCI). After studying the indicators and methodology, as well as Kazakhstan’s rating (103rd among 194 countries at the time), we adopted the GCI as our main benchmark.
This has undoubtedly strengthened cybersecurity development in Kazakhstan. GCI criteria cover legal, technical, and organizational measures, capacity building and cooperation. Importantly, Kazakhstan’s position in the rankings moved up from 103rd place to the 31st in just three years.
In the latest edition, Kazakhstan scores high on four of the five GCI criteria: legal, technical, organizational and cooperation. How did you achieve this?
Ensuring cybersecurity is a priority for the country’s leadership.
A separate body – the Committee on Information Security – was tasked with implementing state policy on cybersecurity, including market, development international cooperation, and organizational and technical measures.
Today, Kazakhstan has about 40 companies, along with 19 private security operational centres (SOCs), 3 computer incident response teams (CERTs), 7 private, accredited testing laboratories, 8 higher educational institutions, and 25 secondary educational institutions, dealing with cybersecurity issues.
We have 85 vendors of trusted software and electronics products, as well as a national coordination centre and a dedicated information security centre for the financial sector.
Our achievements are due to joint work by government agencies, private ICT and cybersecurity companies, specialized public associations, and experts.
The GCI report identifies capacity building as an area where Kazakhstan needs further development. Do you plan to do more in this direction?
Undoubtedly. We will intensify efforts to educate the public.
Work has begun on the legal framework for information security inspectors and Bug Bounty sites.
In addition, our ministry is nurturing domestic ICT solutions, equipment, and software production.
What would you suggest to strengthen cybersecurity and personal data protection across all CIS countries?
Some essential criteria need to be in place in each country:
- Legislative and regulatory frameworks for people’s data and personal data protection.
- State structures dealing with personal data protection and individual rights.
- Public awareness about rights and freedoms to be protected as personal data is collected and processed.
- Technical and organizational measures to prevent leakage of personal data, ensure transparency and promote legitimate data collection procedures.
- Administrative and criminal liability for illegal actions with personal data and for non-compliance with protection measures.
- State safeguards for legitimate collection, processing of personal data with proper protection measures.