33. Belarus 55.84

33rd National Cyber Security Index
39th Global Cybersecurity Index
32nd ICT Development Index
N/A Networked Readiness Index
Population 9.5million
Area (km2) 207.6thousand
GDP per capita ($) 19.2thousand
NCSI FULFILMENT PERCENTAGE
NCSI Update Data source
8 Jun 2017 Cooperation partner
NCSI DEVELOPMENT TIMELINE 2 years All data

Version 8 Jun 2017

GENERAL CYBER SECURITY INDICATORS
BASELINE CYBER SECURITY INDICATORS
  • 5. Protection of digital services 0/5 0%
    0
    5 0%
    • 5.1. Cyber security responsibility for digital service providers 0
      0
      1
      Requirements
      Criteria

      According to legislation, digital service providers (except micro and small enterprises): (1) must manage cyber/ICT risks or (2) must implement established cyber/information security requirements.

      Accepted references

      Legal act

      Evidence
    • 5.2. Cyber security standard for the public sector 0
      0
      1
      Requirements
      Criteria

      Public sector digital service providers must implement (1) cyber/ICT security requirements (defined by legislation) or (2) a widely recognised security standard.

      Accepted references

      Legal act

      Evidence
    • 5.3. Competent supervisory authority 0
      0
      3
      Requirements
      Criteria

      The government has a competent authority in the field of cyber/information security that has the power to supervise public and private digital service providers regarding the implementation of cyber/information security requirements.

      Accepted references

      Official website or legal act

      Evidence
  • 6. Protection of essential services 6/6 100%
    6
    6 100%
    • 6.1. Operators of essential services are identified 1
      1
      1
      Requirements
      Criteria

      There is a legal act that allows to identify operators of essential services.

      Accepted references

      Legal act

      Evidence
    • 6.2. Cyber security requirements for operators of essential services 1
      1
      1
      Requirements
      Criteria

      According to the legislation, operators of essential services must manage cyber/ICT risks.

      Accepted references

      Legal act

      Evidence

      Art 6.2 The requirements of Technical codes of practice TKP 483-2013 "Information technology and security. Safe operation and reliable operation of critically important objects of informatisation. General requirements" (complies with ISO/IEC 27001) are mandatory for entities engaged in activities related to the creation and operation of critically important objects of informatisation. The Technical Code sets requirements to operational reliability and safe operation.

    • 6.3. Competent supervisory authority 3
      3
      3
      Requirements
      Criteria

      The government has a competent authority in the field of cyber/information security that has the power to supervise operators of essential services, regarding cyber/information security requirements.

      Accepted references

      Official website or legal act

      Evidence

      The Operations and Analysis Center under the President of the Republic of Belarus is authorized to: coordinate the activities of state bodies and other organizations to provide technical protection of information processed on critically important objects of informatisation; create and maintain the State Register of critically important objects of informatisation, as well as provide information from it to authorized state bodies and organisations; within its authority – to supervise the activity ensuring the technical protection of information processed on critically important objects of informatisation; adopt normative legal acts on the assignment of objects to critically important objects of informatisation and ensuring their safety; realise other powers in the field of operation and maintenance of critically important objects of informatisation established by legislative acts.

    • 6.4. Regular monitoring of security measures 1
      1
      1
      Requirements
      Criteria

      Operators of essential services must regularly (at least once every 3 years) provide evidence of the effective implementation of cyber/information security policies (e.g. audit result, documentation, specific report).

      Accepted references

      Legal act

      Evidence

      The Operations and Analysis Center under the President of the Republic of Belarus is authorized to: coordinate the activities of state bodies and other organizations to provide technical protection of information processed on critically important objects of informatisation; within its authority – to supervise the activity ensuring the technical protection of information processed on critically important objects of informatisation; adopt normative legal acts on the assignment of objects to critically important objects of informatisation and ensuring their safety.

  • 7. E-identification and trust services 7/9 78%
    7
    9 78%
    • 7.1. Unique persistent identifier 1
      1
      1
      Requirements
      Criteria

      The government provides a unique persistent identifier to all citizens, residents, and legal entities. For example, the identifier remains the same after document expiration and name change.

      Accepted references

      Legal act

      Evidence

      Article 9. Identification number
      All citizen of the  Republic of Belarus as well as other categories of physical entities registered in the State Population Register, also have the unique identification number that is assigned to a person for a lifetime. Since 2013, this also concerns the children since they obtain a certificate of birth. DECISION OF THE MINISTRY OF INTERNAL AFFAIRS OF THE REPUBLIC OF BELARUS October 18, 2011 No. 345» establishes the order of formation of the “Identification number, which is the main identifying characteristic of an individual in the process of entering his personal data into information systems, updating, excluding, storing, restoring, providing and using them” .
      For legal entities, the payer’s account number (УНП/PAN) assigned to them at registration of the legal entity is used as a unique identifier.

    • 7.2. Requirements for cryptosystems 1
      1
      1
      Requirements
      Criteria

      Requirements for cryptosystems in the field of trust services are regulated.

      Accepted references

      Legal act

      Evidence

      The Order of the Operational and Analytical Center under the President of the Republic of Belarus of May 27, 2013 No. 33 "On approval of the Instruction on the procedure for interaction of departmental electronic document management systems with the system of interdepartmental electronic document circulation of state bodies" determines the requirements for interdepartmental and inter-system electronic compatibility (interoperability). It ensures compatibility of newly developed state information systems used by the government control agencies for interdepartmental services. The procedure of connection to IDMS posted on the official website of IDMS operator includes a necessary step “2. To acquire means of electronic digital signature. To work in the IDMS system, the user should acquire the means of electronic digital signature in the state certification center GosSUOC” (Art. 7 of the “Uniform technical requirements for organization of access of departmental systems of electronic document flow to IDMS”, established by the National Center for Electronic Services on 24.02.2017.) See indicator 6.4. for details of the SPKMS (GosSUOK) system organisation.



    • 7.3. Electronic identification 0
      0
      1
      Requirements
      Criteria

      Electronic identification is regulated.

      Accepted references

      Legal act

      Evidence
    • 7.4. Electronic signature 1
      1
      1
      Requirements
      Criteria

      E-signature is regulated

      Accepted references

      Legal act

    • 7.5. Timestamping 0
      0
      1
      Requirements
      Criteria

      Timestamping is regulated.

      Accepted references

      Legal act

      Evidence
    • 7.6. Electronic registered delivery service 1
      1
      1
      Requirements
      Criteria

      Electronic registered delivery service between state entities, citizens and private sector entities is regulated. The service provides legally binding data exchange and guarantees the confidentiality and integrity of information.

      Accepted references

      Legal act

      Evidence

      National automated information system (portal for e-services).


    • 7.7. Competent supervisory authority 3
      3
      3
      Requirements
      Criteria

      There is an authority responsible for the supervision of qualified trust service providers.

      Accepted references

      Official website or legal act

      Evidence

      Operations and Analysis Center under the President of the Republic of Belarus is responsible for the supervision of qualified trust service providers and for granting the qualified status. The procedure for the accreditation of service providers in GosSUOC and for monitoring compliance with accreditation conditions is determined by the "Instruction on the procedure for accreditation of service providers in the State system for managing public keys for checking the electronic digital signature of the Republic of Belarus and for monitoring compliance with accreditation conditions" approved by the OAC Order of November 29 2013 No. 89.

  • 8. Protection of personal data 0/4 0%
    0
    4 0%
INCIDENT AND CRISIS MANAGEMENT INDICATORS
  • 9. Cyber incidents response 4/6 67%
    4
    6 67%
    • 9.1. Cyber incidents response unit 3
      3
      3
      Requirements
      Criteria

      The government has a unit (CSIRT, CERT, CIRT, etc.) that is specialised in national-level cyber incident detection and response.

      Accepted references

      Official website or legal act

      Evidence

      CERT.BY is the National Computer Emergency Response Team of the Republic of Belarus, it was launched and is maintained by the Operation and Analytical Center under the President of Belarus.
       

    • 9.2. Reporting responsibility 1
      1
      1
      Requirements
      Criteria

      Digital service providers and operators of essential services have an obligation to notify appointed government authorities of cyber security incidents.

      Accepted references

      Legal act

      Evidence

      Technical codes of practice TKP 483-2013 "Information technology and security. Safe operation and reliable operation of critically important objects of informatisation. General requirements" set requirements to the operational reliability and safe operation of critically important objects of informatisation, including the “procedures for handling security events in the CII and procedures for reporting, responding and recovering from security incidents in the CII.

    • 9.3. Single point of contact for international coordination 0
      0
      2
      Requirements
      Criteria

      The government has designated a single point of contact for international cyber security coordination.

      Accepted references

      Official website or legal act

      Evidence
  • 10. Cyber crisis management 1/5 20%
    1
    5 20%
    • 10.1. Cyber crisis management plan 0
      0
      1
      Requirements
      Criteria

      The government has established a crisis management plan for large-scale cyber incidents.

      Accepted references

      Legal act

      Evidence
    • 10.2. National-level cyber crisis management exercise 0
      0
      2
      Requirements
      Criteria

      The government has conducted a national-level cyber crisis management exercise or a crisis management exercise with a cyber component in the last 3 years.

      Accepted references

      Exercise document/website or press release

      Evidence
    • 10.3. Participation in international cyber crisis exercises 1
      1
      1
      Requirements
      Criteria

      The country's team has participated in an international cyber crisis management exercise in the last 3 years.

      Accepted references

      Exercise document/website or press release

      Evidence

      A joint anti-terrorist exercise of states-participants of the Commonwealth of Independent States "Cyber-Antiterror-2016" (including Belarus, Armenia, Kyrgyzstan, Kazakhstan and Russia) was held in 2016 in Novolukoml (Belarus). The legend was that one of extremist websites had published an appeal to the international terrorist organization of massive computer DDoS-attacks on the servers of critical infrastructure in Belarus. The security agencies and special services of these countries with the support of the CIS Anti-Terrorist Center carried out a series of measures to detect and respond to cyber-terrorism activities.”

    • 10.4. Operational support of volunteers in cyber crises 0
      0
      1
      Requirements
      Criteria

      The procedures for using volunteers are established by legislation.

      Accepted references

      Legal act

      Evidence
  • 11. Fight against cybercrime 6/9 67%
    6
    9 67%
    • 11.1. Cybercrimes are criminalised 1
      1
      1
      Requirements
      Criteria

      Cybercrimes are defined by legislation.

      Accepted references

      Legal act

      Evidence

      The Criminal Code of Belarus contains a chapter defining the criminal offences and sanctions for attacks against information systems and computer data: Chapter 31. Crimes against information security (Art. 349. Unauthorized access to computer information; Art. 350. Modification of computer information; Art. 351. Computer sabotage; Art. 352. Illegal occupation of computer information; Art. 353. Manufacture or sale of special funds for unauthorized access to a computer system or network; Art. 354. The development, use or distribution of malware; Art. 355. Violation of the rules of operation of a computer system or network”.

    • 11.2. Cybercrime unit 3
      3
      3
      Requirements
      Criteria

      There is a government entity with a specific function of combatting cybercrime.

      Accepted references

      Official website or legal act

      Evidence

      The Office for the Detection of High-Tech Crime at the Ministry of Internal Affairs of the Republic of Belarus  (Office “K”) is an independent operational and search division of the Ministry, directly subordinate to the Head of the Main Directorate of Criminal Police.

    • 11.3. Digital forensics unit 0
      0
      3
      Requirements
      Criteria

      There is a government entity with a specific function of digital forensics.

      Accepted references

      Official website or legal act

      Evidence
    • 11.4. 24/7 contact point for international cybercrime 2
      2
      2
      Requirements
      Criteria

      The government has designated an international 24/7 contact point for cybercrimes.

      Accepted references

      Official website or legal act

  • 12. Military cyber operations 6/6 100%
    6
    6 100%
    • 12.1. Cyber operations unit 3
      3
      3
      Requirements
      Criteria

      Military forces have a unit (cyber command, etc.) that is specialised in planning and conducting cyber operations.

      Accepted references

      Official website or legal act

      Evidence

      Deputy Minister of Defense, Major General has announced that special units to combat cyber threats are created in the Belarusian army.

    • 12.2. Cyber operations exercise 2
      2
      2
      Requirements
      Criteria

      Military forces have conducted a cyber operations exercise or an exercise with a cyber operations component in the country in the last 3 years.

      Accepted references

      Exercise document/website or press release

      Evidence

      A joint anti-terrorist exercise of states-participants of the Commonwealth of Independent States "Cyber-Antiterror-2016" (including Belarus, Armenia, Kyrgyzstan, Kazakhstan and Russia) was held in 2016 in Novolukoml (Belarus). The legend was that one of extremist websites had published an appeal to the international terrorist organization of massive computer DDoS-attacks on the servers of critical infrastructure in Belarus.

    • 12.3. Participation in international cyber exercises 1
      1
      1
      Requirements
      Criteria

      The country's military team has participated in an international cyber operations exercise in the last 3 years.

      Accepted references

      Exercise document/website or press release

      Evidence

      A joint anti-terrorist exercise of states-participants of the Commonwealth of Independent States "Cyber-Antiterror-2016" (including Belarus, Armenia, Kyrgyzstan, Kazakhstan and Russia) was held in 2016 in Novolukoml (Belarus). The legend was that one of extremist websites had published an appeal to the international terrorist organization of massive computer DDoS-attacks on the servers of critical infrastructure in Belarus.

CONTRIBUTORS

Anna Pobol
Belarusian State University