Fostering a modern, open European cybersecurity

Romania is a key player on the European cybersecurity scene. In 2021, the government created a dedicated National Cyber Security Directorate (NCSD) and published a revised national cybersecurity strategy.

Manuela Catrina, Deputy Director of the NCSD shares her thoughts on the current cybersecurity challenges and her vision for the future.

Interviewed Amélie Rives

Building an innovative organization to address new threats

The National Cyber Security Directorate was created in October 2021 to replace the National Cyber Security Incident Response Team (CERT-RO). In many ways it is quite an innovative organisation, in particular in terms of mandate and scope of action. In addition to taking over the missions of the previous national CERT, such as the supervision of all local CERTs, it also stands as the national competent authority for regulation, supervision and control, it contributes to the elaboration of strategy orientations, and it acts as a hub to facilitate cooperation between all involved parties: the government bodies, military, local administrations, the private sector, as well as universities. According to the 2023 law on cybersecurity and cyberdefense, the role of the NCSD is to ensure the cybersecurity of the national civilian cyberspace including the management of risks and cyber incidents, and to serve as the national center for managing cyber crises in peacetime.

Among our many missions, we are responsible for supporting the implementation of our national cybersecurity strategy. Romania’s first cybersecurity strategy was issued in 2013. In 2021, the Government approved a revised Cybersecurity Strategy and Action Plan for 2022-2027 to reinforce cybersecurity in Romania and to strengthen the national digital ecosystem. This of course required adapting the existing strategy to the changing threat and technology landscape. As in many other countries, most of the cyberthreats we have to deal with today stem from the increased digitalisation of our societies. It is the inevitable downside of a very positive and essential transformation, which has widened the attack surface for malicious actors. But Romania also faces a very specific threat: today, we are on the border of a war zone. This puts us in a privileged position to detect trends and attacks very early on, and to share this information with our NATO and EU partners. But it also means that we are the first line of defense, and this has proved particularly challenging.

As a very young agency, we also have organizational issues as we are still in the process of operationalisation. For example, our main focus for the past few months has been (and will still be in the coming months) to recruit and build our teams. We have just opened 50 positions and 40 more will be advertised before the summer, which means we expect to welcome nearly 100 new employees very quickly. This is extremely challenging for a government agency. But for a public servant it is also a rare moment and a unique opportunity to participate in building such an essential and strategic institution.

Using creativity to tackle growing challenges

As a government organisation, our biggest challenge will be to make people the strongest, rather than the weakest link of cybersecurity. Training our citizens to safely use their many digital tools (banking, e-commerce, e-services…) will be our main focus. And perhaps an even greater challenge will be to train the local and central authorities too.

Education and awareness are therefore among the NCSD’s key priorities. The first step is to build relationships with all other actors involved in prevention and awareness: the media, the police, other government bodies, business associations… And to bring them together to devise new, ingenious ways to reach out to all population groups and ages. Creativity is an essential and powerful tool in this regard. For example, in 2022 a partnership was fostered between the association of software providers and the Romanian Orthodox Church’s media group with the objective of helping them address cybersecurity and digital trust issues in their very popular newspapers. This proved to be very efficient in addressing groups that do not necessarily access information through TV channels or the Internet.

Many of our campaigns and projects focus on children. For example, we take part in the “School in a different way” program, through which Romanian school children can spend one week in an organization of their choice. We also go and meet young people in schools and universities, where we speak either on our own or in cooperation with representatives of the Romanian Police, who also have a very strong awareness campaign. We even launched a joint website called “Online Security” where children and their parents can test their basic knowledge, their cyber hygiene, etc. In addition, we try to provide them with concrete tools and share best practices on how to face or to respond to specific situations. We also produced a dedicated cartoon with the support of the Swiss Embassy for instance. The NCSD has also worked to make cybersecurity a stand-alone subject in schools, starting from the first years of education. This will happen once the new Education Law will pass in Parliament. In order to build the curricula, NCSD will work closely with the Ministry of Education.

Fostering a new vision of cybersecurity

Bringing more of the humanities and social sciences to cybersecurity will be vital to answer the many challenges ahead. We tend to see cybersecurity as the realm of computers and machines. But these machines are only created by Men to do what they cannot do themselves. At the end of the day, it is with people we deal, not with machines. And human beings today are no different than the previous generations: they have the same feelings and the same flaws, they only have new tools and new technologies. For example, attacks are carried out by human beings out of anger, greed, emotions… We will not be able to respond to cyberthreats efficiently if we don’t accept this.

Bringing empathy to cybersecurity will also be key to making it more accessible and acceptable to citizens. Romania launched 1911, the emergency hotline for cybersecurity in 2019. It is accessible 24/7, with call /people rather chatbots answering the calls. We have received numerous calls, and it has proved to be very efficient in helping us to detect attacks early on and to respond faster. And therefore, it also helps us build trust in our government and institutions.

We also need to open discussions focused on digital and cyber issues with other disciplines that have complementary approaches. Cybersecurity is not only about science and engineering and it is not cut off from the rest of the world. It is also about values and ethics, and it impacts our everyday lives. AI is a very good example. If we want to make the most out of digital transformation, we need to understand how it will impact our core values and how we can protect them. This is why we need to involve more intellectuals, philosophers and artists in the discussion on digital and new technologies.

Promoting and protecting our values in the digital age can only be a collective endeavour. It is no news that no one can be (cyber)secure on its own and that cooperation is essential. And the EU has a key role to play here. As a new Member State we are probably more passionate about Europe, and we strongly believe that joining forces will be the most efficient way to fight for these core values that bring us together.