Cybersecurity Maturity of Turkey: An Assessment with ENISA’s National Capabilities Assessment Framework (NCAF)

Yıl 2024, Cilt: 20 Sayı: 2, 191 - 210, 01.11.2024

Hasan Çifci

https://doi.org/10.17134/khosbd.1450078

Öz

In this study, Turkey's cybersecurity maturity level was assessed using the European Union Agency for Cybersecurity's (ENISA) National Capabilities Assessment Framework (NCAF). The results of other global cybersecurity indices for Turkey were also given to support the NCAF assessment. Additionally, Turkey’s organizations, legal framework, public and private sector, academic landscape, incident response capabilities and military capabilities were presented through an extensive literature review. In this respect, this is the most up-to-date cybersecurity capability analysis of Turkey in English. According to the findings from NCAF assessment, Turkey has high level of cybersecurity maturity level while there are various areas that need improvement, including supply chain security, contingency strategies, education and training, security and trustworthiness of digital identity and public digital services. The methodology and findings of this study can serve as a reference for researchers to measure the cybersecurity levels of other countries.

Anahtar Kelimeler

cybersecurity, cybersecurity maturity models, cybersecurity maturity assessment, National Capabilities Assessment Framework (NCAF), cybersecurity in Turkey

Türkiye'nin Siber Güvenlik Olgunluğu: ENISA'nın Ulusal Yetenekler Değerlendirme Çerçevesi (NCAF) ile Bir Değerlendirme

Öz

Bu çalışmada, Türkiye'nin siber güvenlik olgunluk düzeyi, Avrupa Birliği Siber Güvenlik Ajansı'nın (ENISA) Ulusal Yetenekler Değerlendirme Çerçevesi (National Capabilities Assessment Framework-NCAF) kullanılarak değerlendirilmiştir. NCAF değerlendirmesini desteklemek amacıyla Türkiye’nin diğer küresel siber güvenlik endekslerindeki sonuçları da verilmiştir. Ayrıca Türkiye'nin siber güvenlik yapılanması, yasal çerçevesi, kamu ve özel sektörü, akademik yapısı, siber olaylara müdahale yetenekleri ve askeri yetenekleri kapsamlı bir literatür taramasıyla verilmiştir. Bu açıdan çalışma, Türkiye'nin siber güvenlik yetenek analizini içeren İngilizce dilindeki en güncel araştırmadır. NCAF değerlendirmesinden elde edilen bulgulara göre, Türkiye yüksek düzeyde siber güvenlik olgunluk düzeyine sahipken, tedarik zinciri güvenliği, acil durum stratejileri, eğitim ve öğretim, dijital kimlik ve kamu dijital hizmetlerinin güvenliği gibi iyileştirilmesi gereken çeşitli alanlar da bulunmaktadır. Bu çalışmanın metodolojisi ve bulguları, diğer ülkelerin siber güvenlik düzeylerini ölçmek isteyen araştırmacılara örnek teşkil edebilecek bir mahiyettedir.

Anahtar Kelimeler

siber güvenlik, siber güvenlik olgunluk modelleri, siber güvenlik olgunluk değerlendirmesi, Ulusal Yetenekler Değerlendirme Çerçevesi (NCAF), Türkiye'de siber güvenlik

Kaynakça

• [1] L. Maglaras, I. Kantzavelou, and M. A. Ferrag, ‘Digital Transformation and Cybersecurity of Critical Infrastructures’, in Cyber Security of Critical Infrastructures, 2021, pp. 1–4. Accessed: Feb. 06, 2023. https://mdpires.com/books/book/4750/Cyber_Security_of_Cr itical_Infrastructures.pdf?filename=Cyber_Secu rity_of_Critical_Infrastructures.pdf
• [2] J. A. Lewis, ‘Cybersecurity and Critical Infrastructure Protection’, 2006. Accessed: Aug. 06, 2023. http://csiswebsiteprod.s3.amazonaws.com/s3fspublic/legacy_files/files/media/csis/pubs/0601_c scip_preliminary.pdf
• [3] Oxford GCSCC, ‘Cybersecurity Capacity Maturity Model for Nations (CMM)’, 2021. https://gcscc.ox.ac.uk/the-cmm
• [4] ENISA, ‘NCAF Assessment Tool’. Accessed: Nov. 11, 2023. https://www.enisa.europa.eu/topics/nationalcyber-security-strategies/national-cybersecurity-strategies-guidelines-tools/nationalcybersecurity-assessment-framework-ncaf-tool#/
• [5] Cybersecurity Ventures, ‘Cybersecurity Market Report’. Accessed: May 05, 2023. https://cybersecurityventures.com/wpcontent/uploads/2021/01/Cyberwarfare-2021- Report.pdf
• [6] CISA, ‘Cybersecurity Framework’. Accessed: Oct. 05, 2023. https://www.cisa.gov/uscert/resources/cybersecurity-framework
• [7] NIST, ‘Cybersecurity Framework -Framework Documents’. Accessed: Feb. 05, 2023. https://www.nist.gov/cyberframework/framework
• [8] EUI & Booz Allen Hamilton, ‘Cyber Power Index - Findings and Methodology’, pp. 1–36, 2011. [9] UNIDIR, ‘The Cyber Index-International Security Trends and Realities’, 2013. http://www.unidir.org/files/publications/pdfs/cyb er-index-2013-en-463.pdf
• [10] Potomac Institute for Policy Studies, ‘Cyber Readiness Index 2.0’, 2015. https://potomacinstitute.org/images/CRIndex2.0.pdf
• [11] Belfer Center for Science and International Affairs, ‘National Cyber Power Index 2020 - Methodology and Analytical Considerations’, Belfer Center for Science and International Affairs - Harvard Kennedy School, no. September, pp. 1–71, 2020, https://www.belfercenter.org/sites/default/files/2 020-09/NCPI_2020.pdf
• [12] IISS, ‘Cyber Capabilities and National Power: A Net Assessment’, 2021. https://www.iiss.org/blogs/researchpaper/2021/06/cyber-capabilities-nationalpower
• [13] eGA, ‘About Us’. Accessed: Sep. 06, 2022. https://ega.ee/about-us
• [14] eGA, ‘Methodology’. Accessed: Sep. 06, 2022. https://ncsi.ega.ee/methodology
• [15] ITU, ‘Global Cybersecurity Index (GCI) 2020’, 2021. https://www.itu.int/dms_pub/itud/opb/str/D-STR-GCI.01-2021-PDF-E.pdf
• [16] ITU, ‘GCI scope and framework’, 2019. https://www.itu.int/en/ITUD/Cybersecurity/Documents/GCIv4/New_Reference_Model_GCIv4_V2_.pdf
• [17] G. Acayo, ‘Global Cybersecurity Index Overview’. Ispra, 2017. https://knowledge4policy.ec.europa.eu/sites/default/files/02_-_global_cybersecurity_index_-_grace_acayo_0.pdf
• [18] ITU, ‘GCI v5 Final Questionnaire’. Accessed: Oct. 22, 2023. https://www.itu.int/en/ITUD/Cybersecurity/Documents/GCIv5/GCIv5_E.pdf
• [19] TÜBİTAK, ‘Tarihçe’. Accessed: Oct. 11, 2023. https://uekae.bilgem.tubitak.gov.tr/tr/kurumsal/tarihce
• [20] H. Çifci, Her Yönüyle Siber Savaş, 3rd ed. Ankara, Turkey: TÜBİTAK, 2023.
• [21] Prime Ministry of the Republic of Turkey, Circular No. 2003/12: e-Transformation Turkey Project. 2003. http://www.bilgitoplumu.gov.tr/Documents/1/Mevzuatlar/BasbakanlikGenelge_2003-12.pdf
• [22] Prime Ministry of the Republic of Turkey, Circular No. 2003/48: e-Transformation Turkey Short-Term Action Plan 2003-2004. 2003. https://www.resmigazete.gov.tr/eskiler/2003/12/ 20031204.htm#3
• [23] Prime Ministry of the Republic of Turkey, 2005/5 Numbered e-Transformation Turkey Project Action Plan for 2005. 2005. https://www.resmigazete.gov.tr/Eskiler/2005/04/20050401-12.htm
• [24] Prime Ministry of the Republic of Turkey, 2006/38 Numbered Information Society Strategy and Action Plan 2006-2010. 2006. https://www.resmigazete.gov.tr/eskiler/2006/07/ 20060728-7.htm
• [25] Council of Ministers, Decision on the Execution, Management and Coordination of National Cybersecurity Studies. 2012. Accessed: Feb. 03, 2023. https://www.resmigazete.gov.tr/eskiler/2012/10/ 20121020-18-1.pdf
• [26] Council of Ministers, National Cyber Security Strategy and Action Plan 2013-2014. 2013. https://www.resmigazete.gov.tr/eskiler/2013/06/ 20130620-1.htm
• [27] Ministry of Development, 2015-2018 Information Society Strategy and Action Plan. 2015. https://www.resmigazete.gov.tr/eskiler/2015/03/20150306M1-2.htm
• [28] Ministry of Transport Maritime and Communication, 2016-2019 National Cyber Security Strategy. 2016. https://hgm.uab.gov.tr/uploads/pages/siberguvenlik/2016-2019guvenlik.pdf
• [29] Presidency of the Republic of Turkey, Information and Communication Security Measures No. 2019/12. 2019. https://www.mevzuat.gov.tr/MevzuatMetin/CumhurbaskanligiGenelgeleri/20190706-12.pdf
• [30] Ministry of Transport and Infrastructure, ‘Minimum Information Security Criteria That Public Institutions Must Comply with’, 2013. https://hgm.uab.gov.tr/uploads/pages/siberguvenlik/asbk.pdf
• [31] Prime Ministry of the Republic of Turkey, Circular on Inclusion of Public Institutions and Organizations in KamuNet. 2016. https://www.resmigazete.gov.tr/eskiler/2016/12/20161203-24.pdf
• [32] DTO, ‘Information and Communication Security Guide’. Accessed: Oct. 14, 2023. https://cbddo.gov.tr/bigrehber/
• [33] Ministry of Transport and Infrastructure, 2020-2023 National Cyber Security Strategy. 2020. https://hgm.uab.gov.tr/uploads/pages/stratejieylem-planlari/ulusal-siber-guvenlik-stratejisive-eylem-plani-2020-2023.pdf
• [34] Presidency of the Republic of Turkey, National Cyber Security Strategy No. 2020/15 and Action Plan for 2020-2023. 2020. https://www.mevzuat.gov.tr/MevzuatMetin/CumhurbaskanligiGenelgeleri/20201229-15.pdf
• [35] Presidency of the Republic of Turkey, Presidential Decree No. 4 on the Organization of Ministries, Related Institutions and Organizations and Other Institutions and Organizations. 2018. https://www.mevzuat.gov.tr/mevzuat?MevzuatNo =4&MevzuatTur=19&MevzuatTertip=5
• [36] DTO, ‘About DTO’, 2018, Accessed: Oct. 10, 2023. https://cbddo.gov.tr/en/about-dto
• [37] Presidency of the Republic of Turkey, 1 Sayılı Cumhurbaşkanlığı Teşkilatı Hakkında Cumhurbaşkanlığı Kararnamesi (Presidential Decree No. 1 on the Organization of the Presidency). 2018.Accessed:Feb. 10, 2023. https://www.mevzuat.gov.tr/mevzuat?MevzuatNo =1&MevzuatTur=19&MevzuatTertip=5
• [38] Ministry of Transport and Infrastructure, Elektronik Haberleşme Kanunu (Electronic Communications Law). 2008. Accessed: Feb. 03, 2023. https://www.mevzuat.gov.tr/mevzuat?MevzuatNo =5809&MevzuatTur=1&MevzuatTertip=5
• [39] Ministry of Transport and Infrastructure, Network and Information Security Regulation in the Electronic Communications Industry. 2014. https://www.mevzuat.gov.tr/mevzuat?MevzuatNo=19880&MevzuatTur=7&MevzuatTertip=5
• [40] EGM, ‘Hakkımızda’. Accessed: Oct. 10, 2023. https://www.egm.gov.tr/siber/hakkimizda2
• [41] Ministry of Internal Affairs, Law on Police Organization. 1937. https://www.mevzuat.gov.tr/mevzuat?MevzuatNo=3201&MevzuatTur=1&MevzuatTertip=3
• [42] Council of Ministers, Law Amending the Law on State Intelligence Services and the National Intelligence Organization. 2014. https://www.resmigazete.gov.tr/eskiler/2014/04/20140426-1.htm
• [43] Presidency of the Republic of Turkey, State Intelligence Services and National Intelligence Agency Law. 1983. https://www.mevzuat.gov.tr/mevzuat?MevzuatNo =2937&MevzuatTur=1&MevzuatTertip=5
• [44] AFAD, ‘2014-2023 Technological Disasters Roadmap Document’, 2014. https://www.afad.gov.tr/kurumlar/afad.gov.tr/39 06/xfiles/teknolojik-afetler-son.pdf
• [45] Prime Ministry of the Republic of Turkey, Law on the Organization and Duties of the Disaster and Emergency Management Presidency. 2009. https://www.resmigazete.gov.tr/eskiler/2009/06/20090617-1.htm
• [46] TÜBİTAK, ‘Who We Are?’ Accessed: Oct. 11, 2023. https://www.tubitak.gov.tr/en/aboutus/content-who-we-are
• [47] Council of Ministers, Electronic Signature Law. 2004. https://www.mevzuat.gov.tr/mevzuat?MevzuatNo =5070&MevzuatTur=1&MevzuatTertip=5
• [48] Ministry of Transport and Infrastructure, Law on Regulation of Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts. 2007. https://www.mevzuat.gov.tr/mevzuat?MevzuatNo =5651&MevzuatTur=1&MevzuatTertip=5
• [49] Ministry of Culture and Tourism, Intellectual and Artistic Works Law. 1951. https://www.mevzuat.gov.tr/mevzuatmetin/1.3.5846.pdf
• [50] Ministry of Commerce, Law on the Regulation of Electronic Commerce. 2014. https://www.mevzuat.gov.tr/mevzuatmetin/1.5.65 63.pdf
• [51] Ministry of Commerce, Ticaret Sicili Yönetmeliği (Trade Registry Regulation). 2019. Accessed: Feb. 03, 2023. https://www.mevzuat.gov.tr/mevzuat?MevzuatNo=20124093&MevzuatTur=21&MevzuatTertip=5
• [52] Council of Ministers, Law Regarding Approval of the Agreement on Crimes Committed in the Virtual Environment. 2014. https://www.resmigazete.gov.tr/eskiler/2014/05/ 20140502-12.htm
• [53] Council of Ministers, Personal Data Protection Law. 2016. https://www.mevzuat.gov.tr/mevzuatmetin/1.5.66 98.pdf
• [54] Ministry of Transport and Infrastructure, Communique on Procedures and Principles Regarding the Establishment, Duties and Operations of Cyber Incidents Response Teams. 2013. Accessed: Feb. 03, 2023. https://www.mevzuat.gov.tr/mevzuat?MevzuatNo =19004&MevzuatTur=9&MevzuatTertip=5
• [55] Presidency of the Republic of Turkey, Communiqué on National Occupational Standards. 2020. https://www.resmigazete.gov.tr/eskiler/2020/02/ 20200209-9.htm
• [56] YÖK, ‘Our Universities’. Accessed: Apr. 22, 2023. https://www.yok.gov.tr/universiteler/universitelerimiz
• [57] Anadolu Agency, ‘7. Siber Güvenlik Ekosisteminin Geliştirilmesi Zirvesi başladı (EN: 7th Cyber Security Ecosystem Development Summit started)’. Accessed: Apr. 22, 2024. https://www.aa.com.tr/tr/bilim-teknoloji/7-siberguvenlik-ekosisteminin-gelistirilmesi-zirvesibasladi/3155686
• [58] Siber Küme, ‘Turkey Cybersecurity Cluster’. Accessed: Oct. 11, 2023. https://siberkume.org.tr/Index
• [59] DTO, ‘Cybersecurity Cluster’. Accessed: Oct. 11, 2023. https://cbddo.gov.tr/projeler/#4800
• [60] Ministry of Industry and Technology, ‘List of Technoparks in Turkey’, 2023, Accessed: Oct. 11, 2023. https://teknopark.sanayi.gov.tr/Home/TgbListesi
• [61] USOM, ‘Hakkımızda’. Accessed: Oct. 10, 2023. https://www.usom.gov.tr/hakkimizda
• [62] Energy Market Regulatory Authority, Information Security Regulation in Industrial Control Systems Used in the Energy Sector. 2017. https://www.resmigazete.gov.tr/eskiler/2017/07/20170713-5.htm
• [63] Anadolu Agency, ‘Turkey’s Cyber Fortress: USOM’, 2021, Accessed: Oct. 05, 2023. https://www.aa.com.tr/tr/bilimteknoloji/turkiyenin-siber-kalesi-usom/2439016#
• [64] MSI, ‘Cyber Defense Operations Center on Duty’, 2017, Accessed: Sep. 12, 2023. https://www.savunmahaber.com/siber-savunmaharekat-merkezi-gorev-basinda/
• [65] ITU, ‘Digital Development DashboardTürkiye’. Accessed: Feb. 13, 2023. https://www.itu.int/en/ITUD/Statistics/Dashboards/Pages/DigitalDevelopment.aspxÇifci, Savunma Bilimleri Dergisi, 20(2): 191-210 (2024)210
• [66] TÜİK, ‘Household Information Technologies Usage Survey’. Accessed: Apr. 22, 2024. https://data.tuik.gov.tr/Bulten/Index?p=Hanehalki-Bilisim-Teknolojileri-(BT)-Kullanim