Cybersecurity Maturity of Turkey: An Assessment with ENISA’s National Capabilities Assessment Framework (NCAF)

Abstract

In this study, Turkey's cybersecurity maturity level was assessed using the European Union Agency for Cybersecurity's (ENISA) National Capabilities Assessment Framework (NCAF). The results of other global cybersecurity indices for Turkey were also given to support the NCAF assessment. Additionally, Turkey’s organizations, legal framework, public and private sector, academic landscape, incident response capabilities and military capabilities were presented through an extensive literature review. In this respect, this is the most up-to-date cybersecurity capability analysis of Turkey in English. According to the findings from NCAF assessment, Turkey has high level of cybersecurity maturity level while there are various areas that need improvement, including supply chain security, contingency strategies, education and training, security and trustworthiness of digital identity and public digital services. The methodology and findings of this study can serve as a reference for researchers to measure the cybersecurity levels of other countries.

Keywords

• cybersecurity
• cybersecurity maturity models
• cybersecurity maturity assessment
• National Capabilities Assessment Framework (NCAF)
• cybersecurity in Turkey

Türkiye'nin Siber Güvenlik Olgunluğu: ENISA'nın Ulusal Yetenekler Değerlendirme Çerçevesi (NCAF) ile Bir Değerlendirme

Abstract

Bu çalışmada, Türkiye'nin siber güvenlik olgunluk düzeyi, Avrupa Birliği Siber Güvenlik Ajansı'nın (ENISA) Ulusal Yetenekler Değerlendirme Çerçevesi (National Capabilities Assessment Framework-NCAF) kullanılarak değerlendirilmiştir. NCAF değerlendirmesini desteklemek amacıyla Türkiye’nin diğer küresel siber güvenlik endekslerindeki sonuçları da verilmiştir. Ayrıca Türkiye'nin siber güvenlik yapılanması, yasal çerçevesi, kamu ve özel sektörü, akademik yapısı, siber olaylara müdahale yetenekleri ve askeri yetenekleri kapsamlı bir literatür taramasıyla verilmiştir. Bu açıdan çalışma, Türkiye'nin siber güvenlik yetenek analizini içeren İngilizce dilindeki en güncel araştırmadır. NCAF değerlendirmesinden elde edilen bulgulara göre, Türkiye yüksek düzeyde siber güvenlik olgunluk düzeyine sahipken, tedarik zinciri güvenliği, acil durum stratejileri, eğitim ve öğretim, dijital kimlik ve kamu dijital hizmetlerinin güvenliği gibi iyileştirilmesi gereken çeşitli alanlar da bulunmaktadır. Bu çalışmanın metodolojisi ve bulguları, diğer ülkelerin siber güvenlik düzeylerini ölçmek isteyen araştırmacılara örnek teşkil edebilecek bir mahiyettedir.

Keywords

• siber güvenlik
• siber güvenlik olgunluk modelleri
• siber güvenlik olgunluk değerlendirmesi
• Ulusal Yetenekler Değerlendirme Çerçevesi (NCAF)
• Türkiye'de siber güvenlik

References

1. [1] L. Maglaras, I. Kantzavelou, and M. A. Ferrag, ‘Digital Transformation and Cybersecurity of Critical Infrastructures’, in Cyber Security of Critical Infrastructures, 2021, pp. 1–4. Accessed: Feb. 06, 2023. https://mdpires.com/books/book/4750/Cyber_Security_of_Cr itical_Infrastructures.pdf?filename=Cyber_Secu rity_of_Critical_Infrastructures.pdf
2. [2] J. A. Lewis, ‘Cybersecurity and Critical Infrastructure Protection’, 2006. Accessed: Aug. 06, 2023. http://csiswebsiteprod.s3.amazonaws.com/s3fspublic/legacy_files/files/media/csis/pubs/0601_c scip_preliminary.pdf
3. [3] Oxford GCSCC, ‘Cybersecurity Capacity Maturity Model for Nations (CMM)’, 2021. https://gcscc.ox.ac.uk/the-cmm
4. [4] ENISA, ‘NCAF Assessment Tool’. Accessed: Nov. 11, 2023. https://www.enisa.europa.eu/topics/nationalcyber-security-strategies/national-cybersecurity-strategies-guidelines-tools/nationalcybersecurity-assessment-framework-ncaf-tool#/
5. [5] Cybersecurity Ventures, ‘Cybersecurity Market Report’. Accessed: May 05, 2023. https://cybersecurityventures.com/wpcontent/uploads/2021/01/Cyberwarfare-2021- Report.pdf
6. [6] CISA, ‘Cybersecurity Framework’. Accessed: Oct. 05, 2023. https://www.cisa.gov/uscert/resources/cybersecurity-framework
7. [7] NIST, ‘Cybersecurity Framework -Framework Documents’. Accessed: Feb. 05, 2023. https://www.nist.gov/cyberframework/framework
8. [8] EUI & Booz Allen Hamilton, ‘Cyber Power Index - Findings and Methodology’, pp. 1–36, 2011. [9] UNIDIR, ‘The Cyber Index-International Security Trends and Realities’, 2013. http://www.unidir.org/files/publications/pdfs/cyb er-index-2013-en-463.pdf

9. [10] Potomac Institute for Policy Studies, ‘Cyber Readiness Index 2.0’, 2015. https://potomacinstitute.org/images/CRIndex2.0.pdf
10. [11] Belfer Center for Science and International Affairs, ‘National Cyber Power Index 2020 - Methodology and Analytical Considerations’, Belfer Center for Science and International Affairs - Harvard Kennedy School, no. September, pp. 1–71, 2020, https://www.belfercenter.org/sites/default/files/2 020-09/NCPI_2020.pdf
11. [12] IISS, ‘Cyber Capabilities and National Power: A Net Assessment’, 2021. https://www.iiss.org/blogs/researchpaper/2021/06/cyber-capabilities-nationalpower
12. [13] eGA, ‘About Us’. Accessed: Sep. 06, 2022. https://ega.ee/about-us
13. [14] eGA, ‘Methodology’. Accessed: Sep. 06, 2022. https://ncsi.ega.ee/methodology
14. [15] ITU, ‘Global Cybersecurity Index (GCI) 2020’, 2021. https://www.itu.int/dms_pub/itud/opb/str/D-STR-GCI.01-2021-PDF-E.pdf
15. [16] ITU, ‘GCI scope and framework’, 2019. https://www.itu.int/en/ITUD/Cybersecurity/Documents/GCIv4/New_Reference_Model_GCIv4_V2_.pdf
16. [17] G. Acayo, ‘Global Cybersecurity Index Overview’. Ispra, 2017. https://knowledge4policy.ec.europa.eu/sites/default/files/02_-_global_cybersecurity_index_-_grace_acayo_0.pdf
17. [18] ITU, ‘GCI v5 Final Questionnaire’. Accessed: Oct. 22, 2023. https://www.itu.int/en/ITUD/Cybersecurity/Documents/GCIv5/GCIv5_E.pdf
18. [19] TÜBİTAK, ‘Tarihçe’. Accessed: Oct. 11, 2023. https://uekae.bilgem.tubitak.gov.tr/tr/kurumsal/tarihce
19. [20] H. Çifci, Her Yönüyle Siber Savaş, 3rd ed. Ankara, Turkey: TÜBİTAK, 2023.
20. [21] Prime Ministry of the Republic of Turkey, Circular No. 2003/12: e-Transformation Turkey Project. 2003. http://www.bilgitoplumu.gov.tr/Documents/1/Mevzuatlar/BasbakanlikGenelge_2003-12.pdf
21. [22] Prime Ministry of the Republic of Turkey, Circular No. 2003/48: e-Transformation Turkey Short-Term Action Plan 2003-2004. 2003. https://www.resmigazete.gov.tr/eskiler/2003/12/ 20031204.htm#3
22. [23] Prime Ministry of the Republic of Turkey, 2005/5 Numbered e-Transformation Turkey Project Action Plan for 2005. 2005. https://www.resmigazete.gov.tr/Eskiler/2005/04/20050401-12.htm
23. [24] Prime Ministry of the Republic of Turkey, 2006/38 Numbered Information Society Strategy and Action Plan 2006-2010. 2006. https://www.resmigazete.gov.tr/eskiler/2006/07/ 20060728-7.htm
24. [25] Council of Ministers, Decision on the Execution, Management and Coordination of National Cybersecurity Studies. 2012. Accessed: Feb. 03, 2023. https://www.resmigazete.gov.tr/eskiler/2012/10/ 20121020-18-1.pdf
25. [26] Council of Ministers, National Cyber Security Strategy and Action Plan 2013-2014. 2013. https://www.resmigazete.gov.tr/eskiler/2013/06/ 20130620-1.htm
26. [27] Ministry of Development, 2015-2018 Information Society Strategy and Action Plan. 2015. https://www.resmigazete.gov.tr/eskiler/2015/03/20150306M1-2.htm
27. [28] Ministry of Transport Maritime and Communication, 2016-2019 National Cyber Security Strategy. 2016. https://hgm.uab.gov.tr/uploads/pages/siberguvenlik/2016-2019guvenlik.pdf
28. [29] Presidency of the Republic of Turkey, Information and Communication Security Measures No. 2019/12. 2019. https://www.mevzuat.gov.tr/MevzuatMetin/CumhurbaskanligiGenelgeleri/20190706-12.pdf
29. [30] Ministry of Transport and Infrastructure, ‘Minimum Information Security Criteria That Public Institutions Must Comply with’, 2013. https://hgm.uab.gov.tr/uploads/pages/siberguvenlik/asbk.pdf
30. [31] Prime Ministry of the Republic of Turkey, Circular on Inclusion of Public Institutions and Organizations in KamuNet. 2016. https://www.resmigazete.gov.tr/eskiler/2016/12/20161203-24.pdf
31. [32] DTO, ‘Information and Communication Security Guide’. Accessed: Oct. 14, 2023. https://cbddo.gov.tr/bigrehber/
32. [33] Ministry of Transport and Infrastructure, 2020-2023 National Cyber Security Strategy. 2020. https://hgm.uab.gov.tr/uploads/pages/stratejieylem-planlari/ulusal-siber-guvenlik-stratejisive-eylem-plani-2020-2023.pdf
33. [34] Presidency of the Republic of Turkey, National Cyber Security Strategy No. 2020/15 and Action Plan for 2020-2023. 2020. https://www.mevzuat.gov.tr/MevzuatMetin/CumhurbaskanligiGenelgeleri/20201229-15.pdf
34. [35] Presidency of the Republic of Turkey, Presidential Decree No. 4 on the Organization of Ministries, Related Institutions and Organizations and Other Institutions and Organizations. 2018. https://www.mevzuat.gov.tr/mevzuat?MevzuatNo =4&MevzuatTur=19&MevzuatTertip=5
35. [36] DTO, ‘About DTO’, 2018, Accessed: Oct. 10, 2023. https://cbddo.gov.tr/en/about-dto
36. [37] Presidency of the Republic of Turkey, 1 Sayılı Cumhurbaşkanlığı Teşkilatı Hakkında Cumhurbaşkanlığı Kararnamesi (Presidential Decree No. 1 on the Organization of the Presidency). 2018.Accessed:Feb. 10, 2023. https://www.mevzuat.gov.tr/mevzuat?MevzuatNo =1&MevzuatTur=19&MevzuatTertip=5
37. [38] Ministry of Transport and Infrastructure, Elektronik Haberleşme Kanunu (Electronic Communications Law). 2008. Accessed: Feb. 03, 2023. https://www.mevzuat.gov.tr/mevzuat?MevzuatNo =5809&MevzuatTur=1&MevzuatTertip=5
38. [39] Ministry of Transport and Infrastructure, Network and Information Security Regulation in the Electronic Communications Industry. 2014. https://www.mevzuat.gov.tr/mevzuat?MevzuatNo=19880&MevzuatTur=7&MevzuatTertip=5
39. [40] EGM, ‘Hakkımızda’. Accessed: Oct. 10, 2023. https://www.egm.gov.tr/siber/hakkimizda2
40. [41] Ministry of Internal Affairs, Law on Police Organization. 1937. https://www.mevzuat.gov.tr/mevzuat?MevzuatNo=3201&MevzuatTur=1&MevzuatTertip=3
41. [42] Council of Ministers, Law Amending the Law on State Intelligence Services and the National Intelligence Organization. 2014. https://www.resmigazete.gov.tr/eskiler/2014/04/20140426-1.htm
42. [43] Presidency of the Republic of Turkey, State Intelligence Services and National Intelligence Agency Law. 1983. https://www.mevzuat.gov.tr/mevzuat?MevzuatNo =2937&MevzuatTur=1&MevzuatTertip=5
43. [44] AFAD, ‘2014-2023 Technological Disasters Roadmap Document’, 2014. https://www.afad.gov.tr/kurumlar/afad.gov.tr/39 06/xfiles/teknolojik-afetler-son.pdf
44. [45] Prime Ministry of the Republic of Turkey, Law on the Organization and Duties of the Disaster and Emergency Management Presidency. 2009. https://www.resmigazete.gov.tr/eskiler/2009/06/20090617-1.htm
45. [46] TÜBİTAK, ‘Who We Are?’ Accessed: Oct. 11, 2023. https://www.tubitak.gov.tr/en/aboutus/content-who-we-are
46. [47] Council of Ministers, Electronic Signature Law. 2004. https://www.mevzuat.gov.tr/mevzuat?MevzuatNo =5070&MevzuatTur=1&MevzuatTertip=5
47. [48] Ministry of Transport and Infrastructure, Law on Regulation of Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts. 2007. https://www.mevzuat.gov.tr/mevzuat?MevzuatNo =5651&MevzuatTur=1&MevzuatTertip=5
48. [49] Ministry of Culture and Tourism, Intellectual and Artistic Works Law. 1951. https://www.mevzuat.gov.tr/mevzuatmetin/1.3.5846.pdf
49. [50] Ministry of Commerce, Law on the Regulation of Electronic Commerce. 2014. https://www.mevzuat.gov.tr/mevzuatmetin/1.5.65 63.pdf
50. [51] Ministry of Commerce, Ticaret Sicili Yönetmeliği (Trade Registry Regulation). 2019. Accessed: Feb. 03, 2023. https://www.mevzuat.gov.tr/mevzuat?MevzuatNo=20124093&MevzuatTur=21&MevzuatTertip=5
51. [52] Council of Ministers, Law Regarding Approval of the Agreement on Crimes Committed in the Virtual Environment. 2014. https://www.resmigazete.gov.tr/eskiler/2014/05/ 20140502-12.htm
52. [53] Council of Ministers, Personal Data Protection Law. 2016. https://www.mevzuat.gov.tr/mevzuatmetin/1.5.66 98.pdf
53. [54] Ministry of Transport and Infrastructure, Communique on Procedures and Principles Regarding the Establishment, Duties and Operations of Cyber Incidents Response Teams. 2013. Accessed: Feb. 03, 2023. https://www.mevzuat.gov.tr/mevzuat?MevzuatNo =19004&MevzuatTur=9&MevzuatTertip=5
54. [55] Presidency of the Republic of Turkey, Communiqué on National Occupational Standards. 2020. https://www.resmigazete.gov.tr/eskiler/2020/02/ 20200209-9.htm
55. [56] YÖK, ‘Our Universities’. Accessed: Apr. 22, 2023. https://www.yok.gov.tr/universiteler/universitelerimiz
56. [57] Anadolu Agency, ‘7. Siber Güvenlik Ekosisteminin Geliştirilmesi Zirvesi başladı (EN: 7th Cyber Security Ecosystem Development Summit started)’. Accessed: Apr. 22, 2024. https://www.aa.com.tr/tr/bilim-teknoloji/7-siberguvenlik-ekosisteminin-gelistirilmesi-zirvesibasladi/3155686
57. [58] Siber Küme, ‘Turkey Cybersecurity Cluster’. Accessed: Oct. 11, 2023. https://siberkume.org.tr/Index
58. [59] DTO, ‘Cybersecurity Cluster’. Accessed: Oct. 11, 2023. https://cbddo.gov.tr/projeler/#4800
59. [60] Ministry of Industry and Technology, ‘List of Technoparks in Turkey’, 2023, Accessed: Oct. 11, 2023. https://teknopark.sanayi.gov.tr/Home/TgbListesi
60. [61] USOM, ‘Hakkımızda’. Accessed: Oct. 10, 2023. https://www.usom.gov.tr/hakkimizda
61. [62] Energy Market Regulatory Authority, Information Security Regulation in Industrial Control Systems Used in the Energy Sector. 2017. https://www.resmigazete.gov.tr/eskiler/2017/07/20170713-5.htm
62. [63] Anadolu Agency, ‘Turkey’s Cyber Fortress: USOM’, 2021, Accessed: Oct. 05, 2023. https://www.aa.com.tr/tr/bilimteknoloji/turkiyenin-siber-kalesi-usom/2439016#
63. [64] MSI, ‘Cyber Defense Operations Center on Duty’, 2017, Accessed: Sep. 12, 2023. https://www.savunmahaber.com/siber-savunmaharekat-merkezi-gorev-basinda/
64. [65] ITU, ‘Digital Development DashboardTürkiye’. Accessed: Feb. 13, 2023. https://www.itu.int/en/ITUD/Statistics/Dashboards/Pages/DigitalDevelopment.aspxÇifci, Savunma Bilimleri Dergisi, 20(2): 191-210 (2024)210
65. [66] TÜİK, ‘Household Information Technologies Usage Survey’. Accessed: Apr. 22, 2024. https://data.tuik.gov.tr/Bulten/Index?p=Hanehalki-Bilisim-Teknolojileri-(BT)-Kullanim