Author INCIBE. May 2015

Transcription

1

2 Author INCIBE This study has been elaborated with the collaboration of several agents who represent the national cybersecurity research & innovation ecosystem. [Appendix I STUDY PARTICIPANTS] contains a complete list of the organisations and their representatives who collaborated in the study. May 2015 This publication belongs to INCIBE (Spanish National Cybersecurity Institute) and is subject to a Creative Commons Attribution- NonCommercial 3.0 Spain licence. As such, the copying, distribution, and public communication of this study is permitted under the following conditions: Attribution. The content of this report may be fully or partially reproduced by third parties, provided that they cite its origin and make express reference to INCIBE or CERTSI and its website: This attribution shall, under no circumstance, indicate that INCIBE supports this third party or supports the use that it makes of its study. Non-commercial Use. The original material and the studies deriving therefrom may be distributed, copied, and exhibited, provided that their use is not for commercial purposes. When re-using or distributing the study, the terms of the licence of this study must be made clear. Some of these terms may be waived if permission is obtained from CERTSI as the copyright owner. Complete licence text:

3 TABLE OF CONTENTS 1 BACKGROUND AND MOTIVATION Context and study objective Structure Main conclusions ANALYSIS FRAMEWORK Analysis model Methodology Initial considerations COMPETITIVE POSITIONING OF THE CYBERSECURITY RESEARCH & INNOVACION ECOSYSTEM Map of Stakeholders & Agents Analysis of the institutional, legal, and economic context Characterisation of the cybersecurity research & innovation ecosystem Resources R&D+i value creation model Results Cybersecurity research & innovation ecosystem relationship model Main national collaborative models or networks Main international collaboration models or networks Factors limiting cybersecurity R&D+i competitiveness General and structural weaknesses and obstacles Specific cybersecurity weaknesses and obstacles Conclusions SWOT analysis of the cybersecurity research & innovation ecosystem Action plan for the increase in the cybersecurity research & innovation ecosystem s competitiveness OPPORTUNITY ANALYSIS AND SWOT OF THE CREATION OF A NETWORK of excellence ON CYBERSECURITY R&D+i Opportunity Analysis SWOT NETWORK OF EXCELLENCE MODEL ALTERNATIVES Multicriteria assessment of the Excellence network model alternatives Presentation and validation of alternatives with the interested parties MODELLING THE NETWORK Strategic formulation of the network Mission, vision, and values Strategic objectives, action lines, and measures Strategic alignment with the Cybersecurity Cluster in Spain project ACTION PLAN: short-, medium-, and long-term actions roadmap Summary report Page 3 of 81

4 7.1 Phase 0: Collaborative definition Phase 1: Starting the pilot programme Phase 2: Deployment Phase 3: Stabilisation Cross-disciplinary phase: Management of the implementation Action Plan Schedule APPENDIX I STUDY PARTICIPANTS AI.1 INTERVIEWS AI.2 QUESTIONNAIRES AI.3 PARTICIPANTS IN THE Focus GroupS AI.3.1 FIRST Focus Group AI.3.2 SECOND Focus Group APPENDIX II STRATEGIC LINES OF ACTION AND MEASURES APPENDIX III DOCUMENT SOURCES CONSULTED APPENDIX IV AGENTS OF THE CYBERSECURITY R&D+i ECOSYSTEM IN SPAIN APPENDIX V COLLABORATIVE NETWORKS ANALYSED Summary report Page 4 of 81

5 1 BACKGROUND AND MOTIVATION 1.1 Context and study objective The Spanish National Cybersecurity Institute (INCIBE) is an organisation dependent on the Ministry of Industry, Energy, and Tourism (MINETUR), through the State Department of Telecommunications and for the Information Society (SETSI), and it is the benchmark institution with regard to the development of cybersecurity, and of digital trust for the general public, for RedIRIS (the Spanish academic and research network), and for businesses, especially sectors of strategic importance.. In the framework of the Trust in the Digital Domain, which is part of the Digital Agenda for Spain, INCIBE has driven the elaboration of the feasibility study and design of a network of centres of excellence in cybersecurity R&D+i. The objective of this study is to understand the context and dynamics through which cybersecurity R&D+i is conducted in Spain, in order to determine the suitability and relevance of the creation of a network of centres of excellence in cybersecurity R&D+i. The future network would be aimed at overcoming the fragmentation of research, combining the critical mass of the best scientific and technological capacities, assets and talents, thus promoting an improvement in the competitiveness of the Spanish R&D+i cybersecurity ecosystem. This document presents a summary of the main results obtained after the study has been carried out. The study has been carried out with a participative, collaborative, and consensual approach. The characterisation of an ecosystem such as the cybersecurity one, which is very complex and diverse, would not make sense without considering the vision, experience, and opinion of its agents, who really know the dynamics and capacities of the ecosystem itself, and its deficiencies, weaknesses, and issues. As such, the study has been carried out with the participation and intelligence of the ecosystem as its driving force. A group of representative agents belonging to the four main types of organisations that form any ecosystem of this type, has collaborated in the study: Public Administration, Academia, R&D+i Support Organisations and Industry. These agents have contributed providing their vision on the current state of the ecosystem, and the issues and challenges that cybersecurity faces. The study reflects the global intelligence, materialised in the visions and opinions with general consensus and majority backing from participants in the study. As such, the representativeness of the results obtained has been ensured. Summary report Page 5 of 81

6 This Intelligence has actively participated throughout the study, not only in the identification of the state of the art in cybersecurity R&D+i and the challenges that our country must address to improve its positioning, but also in the identification, validation, and agreed definition of the basic premises and the mission that should guide the creation of the future Network of Excellence, as well as the objectives that would be included in its agenda. 1.2 Structure The contents of this document have been structured in accordance with the logic followed during the execution of the study: Firstly, it is presented in an executive summary way, the main conclusions, in terms of positioning of the cybersecurity research & innovation ecosystem and the challenges that must be addressed, the feasibility of the creation of a Network of Excellence, and the strategic elements that should guide its creation and activity. The [ANALYSIS FRAMEWORK] section illustrates the methodology that guided the preparation of the study. The main results of the analysis and assessment of the ecosystem, in terms of resources available, value production dynamics, and results obtained are displayed below. This analysis is complemented with the state of the art in terms of the collaboration dynamics and models present in the ecosystem. As a result of that analysis and assessment, it is discussed the main constraints and challenges that the ecosystem must face to improve its competitiveness, as well as a proposed action plan to address this improvement. This cybersecurity R&D+i ecosystem shaping allows to advance towards the next step, to determine the suitability and feasibility of establishing a Network of Excellence, promoting a leap forward in the value production and results of the ecosystem. Main network model alternatives that respond to the challenges posed are presented, collaboratively considered to be the most feasible and suitable for the future network. The study concludes with the strategic characterisation of the network (mission, values and strategic goals) and an action plan for the implementation of its activities over the coming years. As additional information, the study includes appendices detailing the study participants, the documentary sources consulted, a look at the map of R&D+i agents in cybersecurity in Spain, and the details of the collaborative models analysed. 1.3 Main conclusions The opportunity: positioning Spanish R&D+i on the global stage In general, and taking into account the limitations in terms of quantifying cybersecurity, it should be highlighted that Spain does not have a clear R&D+i positioning at an Summary report Page 6 of 81

7 international level, and it is not considered one of the best in class in any of the scientific-technological areas in which cybersecurity could be included 1. Our country is behind other European countries, which is evidence of a major technological gap both in research and transference. The differentiating factors of the leading countries (the United States, Israel, and the United Kingdom) are policies and clear research focal points, as well as medium- and long-term investment in R&D+i, which allows the maturation necessary for obtaining returns. This gap also exists in Europe, where Spain is behind countries such as France, Germany, and the Netherlands. In our ecosystem, a series of limitations explain this weak positioning and shape an environment that does not allow us to position ourselves amongst the world leaders in cybersecurity. Many challenges ahead Our ecosystem must overcome these limitations (challenges) and address the improvement of its competitiveness and results. These challenges, which are profoundly important and have a major impact, along with the dearth of networks and collaboration models in cybersecurity R&D+i, constitute an opportunity and explain the need to create a Network of Excellence which, through the connection, pooling, and exploitation of assets, responds to these challenges. The network would undoubtedly play a key role in the future of the ecosystem, and it will allow the first steps to be taken towards a more cohesive and united ecosystem with greater synergy, resulting in higher levels of R&D+i. Many of these challenges are related to the structural and circumstantial weaknesses of the Science and Technology System, which, in the last few years, have not accompanied the driving forwards of such a strategic and critical sector; on one hand, the financial crisis has resulted in a restriction of the budget appropriation in R&D+i, which has obviously affected cybersecurity; on the other hand, the structural weaknesses of the Science and Technology System and cultural factors (risk aversion, poor collaboration culture) slow down R&D+i in our country. Likewise, there are also specific R&D+i challenges in cybersecurity, since many elements still need to be developed in our country. The State must establish a focus or a clear strategy with regard to the priorities from which R&D+i can be constructed, reverse the budgetary shortage trend, and develop a more extensive internal market, through a greater drive in the demand for cybersecurity solutions, mainly by the Public Administrations and the State. 1 In the framework of the study, the following have been identified as large groups of scientific-technological areas: research, mobility, hardware, cyber-defence/cyber-attack, secure coding, and procedures/operations. Summary report Page 7 of 81

8 Making the most of the momentum created, and developing the ecosystem s capacities to enter a new stage of cybersecurity in Spain However, the major capacities of our country in R&D+i, the awareness that the ecosystem agents have about the need to tackle the challenges, along with a great willingness on the part of the latter to get involved on a new stage for R&D+i in cybersecurity, favour the ecosystem, since they are fuel that will allow a step to be taken towards a new stage. This willingness of the ecosystem to develop the new generation of cybersecurity must be accompanied by the changes and actions that the Public Administration, in its role as facilitator and promoter, must take without fail for this step forward to become a reality. Elements such as the development of strategies with specific focal points, the establishing of a specific R&D+i Agenda, positioning in the European Union, and the necessary development in regulations or certifications, are part of the contextual conditions that this change requires. In addition, for a winning solution, it is necessary to take this challenge seriously, with clear commitments and well-defined budgets, far from theoretical proposals and statements of intent that do not produce tangible and real results. A brief review of the state of the art of R&D+i in cybersecurity The current R&D+i situation in cybersecurity will allow us to outline the challenges faced by the ecosystem, in which the network will play a key role. A dynamic sector with many opportunities The cybersecurity sector presents many opportunities, with some factors standing out, such as: The increase in the number, type and sophistication of the threats. The greater number of vulnerabilities, due to the increasingly widespread use of technology (particularly mobile technology and cloud solutions). A growing awareness of organisations and consumers about security risks. Regulations, which impose obligations regarding the protection of personal data, and information, and the infrastructure that supports it. A regulatory framework that has taken the first steps, but which must set the focus points and priorities Cybersecurity is a key issue on the Spanish governmental agenda; the Government of Spain aligns itself with the issues raised by the European Union (Cybersecurity Strategy of Summary report Page 8 of 81

9 the European Union), establishing a series of strategies with commitments regarding cybercrime, public administration security and cyber-defence 2. Despite these strategies being an important step forward, they are high-level proposals that result in statements of intent which define the problem and provide general solutions, but they must be specific and well-grounded. The absence of thematic focal points or priorities in these strategies is particularly remarkable. The agents taking part in the study consider that a clear development of R&D+i in cybersecurity is necessary, with a focus and funding, setting out the priorities and the path to follow, in order that the ecosystem may point in the direction established. Many agents who participated in the study are calling for the creation of a cybersecurity R&D+i - specific programme or agenda. The legislation in force at the date of this study is marked by the development of specific regulatory aspects, although, as with the case of the strategies, there is still a long way to go. In the future, It should be expected the regulatory framework to become a much broader element as cybersecurity policies are created. An ecosystem with a broad capacity to generate more value Our ecosystem is broad and diverse, since it includes more than 300 agents (from science, industry, administration, and R&D+i support organisations). However, it is strongly fragmented and disconnected, since the relationship dynamics between its agents are more one-off than general and without a specific focus on its activity. In short, it is an ecosystem that does not use all of the potential synergies that collaboration, which probably means that it is operating far below its capacity. R&D+i results are poor in terms of transference and applicability to the market. This means that many publications and patents do not become products or services that are applied in the market. The poor incentives of the Science and Technology System for transferring the results of research to the market is one of the main limiting factors for reversing this trend. Transference-specialised agents (R&D+i Support Organisations) must lead the process of transference and commercialisation of the research results to the industry, promoting an in-depth review of the transference mechanisms and incentives. However, and despite all of these limiting factors, it is a relatively young ecosystem with many assets, and therefore, there is a long journey ahead and much room for improvement in the exploitation and development of its capacities. 2 The National Cybersecurity Strategy (ECSN), part of the National Security Strategy (ESN), the Maritime Security Strategy, and also part of the ESN, with specific action relating to maritime cybersecurity, and the Digital Agenda for Spain (inspired by the Digital Agenda for Europe) develop the Digital Trust Plan, implementing digital trust actions. Summary report Page 9 of 81

10 A poor financial framework for R&D+i Spain is clearly weak in terms of funding, with investment levels that are lower than those of the leading countries 3. There is therefore a loss of competitiveness in the industry and in the research system, with a long-term impact, since the results of R&D+i returns are felt over a relatively long period of time. Despite the R&D+i Strategy ( Spanish National Plan for Scientific and Technical Research and Innovation) mentioning cybersecurity as a thematic priority, its scope is not specified in terms of budgetary resources, and it is considered to have limited funding. The private sector has also shown signs of budgetary restriction as a result of the financial crisis, with major cuts in R&D+i investment. Lastly, the lack of traction from the Administration, not only regarding the low level of specificity in cybersecurity policies, but also in terms of the absence of budgets in the public organisations, which have to implement these solutions in their own agencies, aggravates the problem, and adds a request dimension to the already complex budgetary situation. A smaller market in Spain that limits the growth of R&D+i solutions The low levels of demand for cybersecurity solutions in Spain result in a smaller market. The lack of awareness about the need for protection against cyber-attacks by consumers, companies, and the Public Administration (civil, defence, and intelligence) is a key factor that would explain this low demand. It is therefore necessary to continue making progress in the cybersecurity culture in our country. Furthermore, the agents participating in the study call for actions aimed at strengthening Spanish solutions and a better traction from the Public Administration in the demand for innovative solutions. Talent as one of the great concerns The main issue of talent in Spain, given its recurrence in the conversations with the agents of the ecosystem that participated in the study, is the human capital flight to other countries in search of better opportunities. This poses a very concerning situation, given that cybersecurity is a field that requires specialised talent, in which the training of professionals requires time and maturity. This is occurring in a context in which there is expected to be a strong need for professionals over the coming years. One of the main factors contributing to slowing down the capacity of the ecosystem to retain and recognise talent is shortcomings in the Science and Technology System, whose precarious remuneration does not contribute to creating a perception of research as a professional option. In addition, there is a need to organise and structure talent, through 3 Recommendations report of the High-level Expert Group for the Digital Agenda for Spain, published in Summary report Page 10 of 81

11 specific approaches for the training of cybersecurity researchers and professionals, which allow an itinerary and a clear training profile to be established. The role of the future Network of Excellence In the light of the diagnostic of the ecosystem, the network could play a key role in the search for and implementation of the solutions that respond to the challenges posed, leading to a strong, cohesive, and robust system with the capacity to position itself in the winner s league. Following the collaborative process carried out with the ecosystem agents, it has been firstly identified that the network could collaborate in the resolution of the following challenges: Definition of an R&D+i cybersecurity plan or agenda on a national level, as well as a plan for Spain s positioning in the Horizon 2020 programme. Identification of the research incentive mechanisms. Awareness-raising about the need to protect information, systems, and networks against cyber threats and cyber-attacks. Identification of the capacities, potential, and level of excellence of the ecosystem. Review of the talent attraction and retention mechanisms that contribute to stemming the brain drain. Identification of the common points of interest in the ecosystem and the generation of collaboration incentives around them. Identification of the market needs for the development of solutions with a commercial focus. Mission and Objectives of the Network of Excellence During the network s strategic formulation process, the following were highlighted as key elements of the network s activity: Specific objectives, both in the long- and short-term, with a focus on R&D+i and on the transference of the research results to the market. Response capacity in a context in which the speed of technological change requires a flexible, open, and quick response. It is not only technologies that advance at an exponential rate, but also cyber threats and cyber-attacks. Coordination with the Government and Public Administrations responsible for the development of cybersecurity in order to be able to generate the appropriate responses in a coordinated and collaborative manner. Summary report Page 11 of 81

12 Excellence as the key component governing the Network. Developing R&D+i resources as the core mission of the Network The network s main objective will be to contribute to the improvement of competitiveness, to seek the development of solutions that respond to the needs of the market. As such, it will work actively to overcome the fragmentation of the ecosystem, through actions that allow the ecosystem s capacities to be exploited in a collaborative, synergetic, and joint manner. On the date of preparation of this document, the establishing of the Network s mission in strategic objectives, action lines, and specific measures, are the subject of debate and consensus with the agents collaborating in the study. All this is specified in [Appendix II: Strategic lines of action and measures], but it also could have some changes in a future. Summary report Page 12 of 81

13 2 ANALYSIS FRAMEWORK 2.1 Analysis model The process for the creation of the study has been carried out using the following general analysis model, which reflects the group of assets, agents, and dynamics that allow value to be produced in the cybersecurity research & innovation ecosystem. Figure 1: General analysis model. From this perspective, a simplified representation of the ecosystem has been used, to be seen as a system which, through available resources, generates value in its main results. Resources: what elements does the ecosystem have that produce value? Results: what is the real result and the value produced by the ecosystem? R&D+i value creation model: what value production vehicle does the ecosystem have? 2.2 Methodology The methodology for carrying out the study is based on two approaches: Collective thinking exercise with different key agents of the ecosystem that contributed their vision and perspective. Participants belong to different groups, including experts, companies, universities, technological centres, and public Summary report Page 13 of 81

14 institutions in order to assure the representativeness of the study. They took part through the following mechanisms: o Individual, private, and anonymous interviews, in order to obtain free opinions from a total of 18 ecosystem agents (15 national and 3 international). o Submission of questionnaires to be completed by a total of 65 ecosystem agents. o Comparison with INCIBE of the results obtained in the collective thinking exercise, through a Think Tank session. The objective of this session was to align the aspects of the Network outlined by the Collective Intelligence with the strategic documents that explain both this study and the initiative of creating the Network of Excellence. o Focus Group Sessions aimed at generating free and guided discussion to finalise important aspects of the Network with the greatest degree of consensus possible. Two sessions were held with the participation of a group of relevant agents. Appendix I STUDY PARTICIPANTS includes the list of the organisations and individuals who collaborated in the preparation of this study. To complement these opinions, a comparison with analytical information and document sources available for cybersecurity was carried out both at a national and international level, from the different sources of information. Appendix III DOCUMENT SOURCES CONSULTED includes the detail of the sources analysed during the preparation of the study. The objective of this combined analysis has been, in the first phase, to launch a divergent analysis, allowing the identification of the group of potential solution scenarios, in order to, in a second phase, converge towards the more feasible scenarios in the development and implementation of the future Network of Centres of Excellence in cybersecurity R&D+i. Summary report Page 14 of 81

15 Figure 2: Analysis methodology. 2.3 Initial considerations The interpretation of the study results must be carried out bearing in mind a series of elements that determine them. Firstly, cybersecurity is a relatively new and emerging concept, which involves the virtual absence of studies and specific statistics that allow a systematic analysis to be carried out. Moreover, it is a cross-sectional area, with applications in practically all fields of Information and Communications Technologies (ICT) and in all production sectors, which makes it difficult to obtain financial data to quantify both the industry and its R&D+i level 4. Lastly, it is a concept that both due to its many applications and its implications (regulation, civil, military, and technological) is very wide in its interpretations. More specifically, in the area of R&D+i, the plurality of agents in the scientific-technological and knowledge areas 5, increased the complexity of the study. This problem, in addition to the lack of data, means that the analysis of R&D+i in cybersecurity has not been able to be carried out globally and systematically. As a result, in the analysis carried out, there has not been the availability of data and statistics that would be necessary to thoroughly evaluate R&D+i in cybersecurity from a 5 The absence of public sources and statistics that allow us to evaluate cybersecurity in detail made it impossible to carry out an evaluation of the research capacity and excellence in our country. Summary report Page 15 of 81

16 quantitative point of view. Research based on the knowledge of the ecosystem by INCIBE and the agents who participated in the study has been conducted to overcome this difficulty. Summary report Page 16 of 81

17 3 COMPETITIVE POSITIONING OF THE CYBERSECURITY RESEARCH & INNOVACION ECOSYSTEM 3.1 Map of Stakeholders & Agents To put into context the current situation of the cybersecurity research & innovation ecosystem, one of the first tasks to undertake is to outline the map of agents both at a national and international level. It is necessary to highlight the lack of formal and structured sources of information that compile and characterise all of the ecosystem agents comprehensively. In order for this not to affect the creation of the report, hard work was required during the agent identification process, using both the knowledge available (expert collaborators, interviewed/surveyed agents, and INCIBE), as well as the references shown in the various document sources analysed. The cybersecurity research & innovation ecosystem is a complex ecosystem consisting of many agents with different roles, who interact with each other: Public Administrations, the Academic Sector, R&D+i Support Organisations, and the Industry. Figure 3: Type of cybersecurity research & innovation ecosystem agents. The Public Administrations consist of both civil and military organisations with different roles: Consultation role. These both civil and military non-governmental organisations are generally supranational, which carry out reflection processes and mark out the Summary report Page 17 of 81

18 main lines of cybersecurity in the institutional and political sphere. Amongst other elements, they formulate recommendations and design global standards with the objective of creating a common framework that combines visions with regard to the development of cybersecurity in the different nations. Communication role. Aimed at the communication, sharing, and pooling of various issues in the area of cybersecurity. Strategic role. Country governments fall into this category, such as institutions, whose mission is to design strategies and public policies on this issue and make them operational. The institutions of the European Union that form policies are also included. Funding role. Governmental agents in charge of financially and economically covering cybersecurity. In the sphere of this study, the agents that fund the R&D+i activities have been only strictly considered. Legislative role. Agents who define the legal framework in which cybersecurity activities are managed. The Public Administration s demand-inducing role in two ways: It demands security for the protection of the information managed by the administration itself. It demands protection and security solutions in the area of defence and national intelligence. The agents of the Academic Sector are the basic core of the scientific research and technological development system. This category includes universities (with their associated research groups) and (public and private) research centres. R&D+i Support Organisations contribute to making the system dynamic, providing interaction between the scientific and technological settings for the dissemination and generalisation of R&D+i processes. Specifically, three types were considered: Research Results Transference Offices (OTRIs), whose objective is to contribute to the commercialisation of the R&D+i results generated in the university and research centres. Technological Centres (TC) which, in line with the requirements of the business, develop technological research and development projects, contributing to the transference of research results, promoting cooperative research between the companies and increasing their technological level and competitiveness. Summary report Page 18 of 81

19 Technological Innovation Support Centres (CAIT), whose objective is to facilitate the application of knowledge generated in research institutions and technological centres, through their mediation to companies. The Industry and companies are analysed from two perspectives: Companies that carry out their business in the area of cybersecurity. Business associations that, through the union and collaboration between their partners and members, seek to obtain synergies, economies of scale, and the carrying out of joint R&D+i activities. Below, the map of the Spanish R&D+i Ecosystem is shown, identifying the number of agents that exist within each agent category: Figure 4: Map of agents of the cybersecurity research & innovation ecosystem in Spain. Appendix IV AGENTS OF THE CYBERSECURITY R&D+i ECOSYSTEM IN SPAIN of this document provides a list of the agents identified by each category. 3.2 Analysis of the institutional, legal, and economic context Within the analysis model proposed for analysing the Cybersecurity research & innovation ecosystem, the first element to take into account is the context in which it is managed, which could be accepted as the general rules of play that define the perimeter of cybersecurity development. Summary report Page 19 of 81

20 Figure 5: General analysis model: context. In the international scope, it is important to highlight that the first steps have been taken in recognising cybersecurity as a key issue on the governmental agendas, with high-level strategic guidelines being established to address it. These guidelines need to be reviewed constantly and continuously, given the speed of change in information technologies and cyber threats. The European Union recognises the importance of cybersecurity in its main line of strategy, the Europe 2020 strategy, although it explicitly recognises that Member States must establish their own national strategies in this area. In Spain, it must highlighted that, despite the Spanish State having recognised cybersecurity as a key issue on the governmental agenda, the reality is that the strategies designed are high-level proposals that result in statements of intentions that define the challenges and provide general solutions, but they must be specific and well-grounded. Indeed, one of the characteristics of the different initiatives 6 that the Government of Spain has undertaken in relation to cybersecurity, is the absence of thematic focal points or specific priorities. This lack of specificity may be a disadvantage in the development of cybersecurity, with a general scenario being proposed where it is difficult for ecosystem agents to establish an action strategy. In the legal sphere, the scenario is similar to the context, given that it is an element that is developed in parallel to the advancement and implementation of strategies in 6 The Digital Agenda for Spain, the National Security Strategy (ESN), the National Cybersecurity Strategy (ECSN), and the Maritime Security Strategy (with a specific action in cybersecurity). Summary report Page 20 of 81

21 cybersecurity. As such, there is a long way to go, and the advancement and speed will be marked by the degree of strategic and political development. Specifically, there are various elements that could be highlighted as requiring development: Alignment of the Spanish and European legal frameworks, as a critical element for the detection and coordinated pursuit of cyber threats and cyber-attacks. The specific obligations in the protection of critical infrastructure. Regulatory developments aimed at driving forward the European digital market. The regulation of security aspects in Electronic Administration and interoperability in the exchange of electronic information between administrators. Lastly, with regard to funding of R&D+i, cybersecurity is one of the thematic priorities of the European R&D+i programme (Horizon 2020), which has budgetary allocations and specific development areas. At the State level, it can be concluded that cybersecurity receives lower levels of investment than leading countries (the United States, the United Kingdom, and Israel). In the absence of a specific cybersecurity R&D+i plan, the State Plan for Scientific, Technical, and Innovation Research is the main source of funding for R&D+i activities in this field. This plan recognises this area as key, although there is only partial information about the budgetary allocation for this priority Characterisation of the cybersecurity research & innovation ecosystem This section assesses the different elements that, in addition to the context, form the cybersecurity research & innovation ecosystem. Specifically, it is analysed the resources, the value creation model and the results produced by this model Resources The resources represent the basic elements available in the research & innovation ecosystem for the creation of value, represented by the market, science and knowledge, talent and funding. 7 Through a request made to the Ministry of the Economy and Competitiveness on the degree of project execution in cybersecurity, we received the following data: 1) General Directorate of Scientific and Technical Research (DGICT). 27 projects funded during the period, for a total amount of 3.3 million euros. 2) General Directorate of Innovation and Competitiveness (DGIC): in the 2014 call for Collaboration Challenges, 11 projects were funded in Challenge 8, Security, Protection, and Defence, for a total amount of 7.8 million euros. Additionally, during the period, a total of 18 projects were funded in the framework of the subprogramme INNPACTO, for an amount of 20 million euros. Summary report Page 21 of 81

22 Figure 6: Resources. Market In general, the Spanish industry is characterised by high fragmentation and diversity in the category of companies, from large driving companies (national and international) to niche companies. It can be concluded that the volume of companies is smaller in comparison to other economic sectors, although there are no public statistics that allow quantification of the company census. It is necessary to make an effort in the Spanish industry to overcome the technological gap and to position the country on the global arena, since our industry as a whole is very far from both the main industrial leaders (the United States and Israel) and the second line of competitors (the United Kingdom, the Netherlands, France, and Germany, amongst others). Lastly, the poor cybersecurity culture in Spain and the Administration s low driving capacity for demand are other limiting factors for the industry s capacity to generate and commercialise cybersecurity solutions. Both elements result in a smaller domestic market that limits the development possibilities for the industry. In an international context, Latin America is the main focal point for opportunity for our industry. Science and knowledge We should highlight the existence of critical mass in research in Spain, with 110 research groups in 42 universities and 3 research centres dedicated to cybersecurity being identified. The diversity of scientific-technological areas (despite many of the research groups being dedicated to cryptography-related areas), and the disconnection and lack of collaboration Summary report Page 22 of 81

23 between agents, disperses the research capacity and means with no specific and defined strengths from an aggregate level. Indeed, Spain does not appear in the Best in Class about research and transference in any of the cybersecurity scientific-technological areas. Talent The main element that characterises the talent of cybersecurity in Spain is the important human capital loss on behalf of other countries, due to the better opportunities offered by our competitors. Furthermore, the Science and Technology system has a series of weaknesses and shortcomings, which are limiting factors for the process of recruiting and retaining research personnel and they contribute to accelerating the human capital flight: Precariousness of the hiring and grants policy for research personnel, which does not contribute to improving research professionals perception of it as a professional option. The research personnel replacement ratio in the Academic Sector is much lower than loss of staff, resulting in a net reduction in the volume of research talent available. The low driving force in domestic demand for cybersecurity (consumers, companies, and the Administration) is an element that limits the development of the industry and, therefore, the demand for talent. Favourable elements are the availability of a good level of talent. However, many agents participating in the initiative consider it to be necessary to improve the talent training and recruitment plans in cybersecurity, with a more specific focus being generated in this field and with the labour market (industry) needs being incorporated into these plans. Lastly, it is important to highlight the forecast of a high demand for professionals over the coming years, given the great opportunities offered by cybersecurity. Funding In Spain, in the absence of a specific R&D+i plan in the field of cybersecurity, it can be highlighted that, despite the State policies (and those of some regions) establishing security as one of the thematic priorities for R&D+i, the level of financial support can only be partially evaluated. Funding cuts in science has led, not only to the reduction in funding for projects, but also a limit in the research personnel of the institutions. Given this situation, the European Union s Horizon 2020 programme is practically the only route for funding R&D+i. The State Scientific, Technical, and Innovation Research Plan is considered to have limited funding. Summary report Page 23 of 81

24 Another of the means used by the Academic Sector to obtain funds is collaboration with companies (R&D contracts); however, due to the current issue of disconnection between science and business in our country, this means of funding is still low R&D+i value creation model This model is fuelled by the resources of culture, talent, science and knowledge and transference and it adds value to them or takes value away from them depending on how the elements of the value production model are configured for producing a result. Culture Figure 7: cybersecurity R&D+i value creation model. Collaborative culture. The collaborative culture in our country is low, which reduces the ecosystem s capacity to produce value through joint R&D+i projects. Entrepreneurship culture. Spain has a risk-aversion culture, which implies relatively low entrepreneurship levels. The agents participating in the study indicate the need to work and strengthen this element from the earliest stages of the education system. Cybersecurity culture. Companies and the market in general are not aware of the need to protect themselves and prevent attacks. This situation results in a reduced domestic market, which leads to low levels of demand for cybersecurity solutions in the three main groups that demand solutions (consumers, companies, and Public Administration). The search for international markets, such as Latin America, is a possible alternative to this lack of internal demand. Summary report Page 24 of 81

25 Talent The cybersecurity talent-generating model begins in the university system, although some of the participating agents call for the need to develop a cybersecurity culture and professional vocations from the earliest stages of the educational system. As a starting point, it must be borne in mind that this talent requires a high specialised training, after graduation from university, and as such, the preparation and maturation of professionals in this field requires time. Furthermore, since it is a cross-sectional discipline, it does not have a specific training focus, which results in an unclear professional profile. There is a large potential volume of talent, since any IT technician or telecommunications engineer, with the correct training can become a cybersecurity professional. However, to develop all of this potential, a specific and guided training process is demanded, which is aligned with the national roadmap in this subject, which guarantees that there are professionals who are trained for our country s future challenges. This alignment of university with cybersecurity should be formulated through closer contact with the industry, matching the needs of the market with academic training, which is the model followed by some leading countries in this field (the United States). Likewise, the future planned steps in the certification of professionals in cybersecurity will be an element that will contribute positively to distinguishing talent. Science and knowledge The cybersecurity research & innovation ecosystem in Spain is characterised by its amplitude, diversity, fragmentation, dispersal and by not having clear relationship dynamics between its agents. However, since it is relatively young, we can expect a positive evolution in the use and development of these research capacities. It is therefore necessary to make progress in terms of greater levels of collaboration in common objectives, which will increase the positioning of our ecosystem both nationally and internationally. In addition to the lack of collaboration, there are other elements that hinder its research capacity, allowing it to extract all of its potential: the lack of a specific R&D+i plan for cybersecurity and the poor budgetary allocation to science. Lastly, it will be necessary to work on a series of elements that allow the creation of solid foundations in order to increase the contribution of value in cybersecurity R&D+i: Knowledge of the capacities and potential of R&D+i in Spain as the first step for boosting the research. An increase in collaboration between agents. Summary report Page 25 of 81

26 A better definition of the policies (focal points) and public budgetary allocations. Relaunching of instruments that enable and empower the role of the Public Administration as a driving force of the demand for cybersecurity. Innovative public purchasing and the early demand for innovative solutions are useful elements for boosting the development of leading solutions. Transference The weaknesses of our country in the process of transferring the results of research to the market and the now traditional disconnection between science and the market are recurring themes in the debate on the Spanish Science and Technology System. The levels of transference to the market, which cannot be assessed objectively, due to the lack of public data, are relatively poor in the opinion of the agents and experts who participated in the study, who point to some elements as causes of this situation: The Academic Sector indicates the poor incentives for researchers to implement transference. However, the agents who specialise in transference must play a key role in the commercialisation of the research results to the industry. Another of the elements indicated is the ease that proximity between companies and research centres provides to the transference process, which is complicated for geographical regions that are far from the main business centres, since the business network does not usually have an R&D+i culture, and it is more focussed on surviving the crisis than promoting it. In the sphere of cybersecurity, there is also the fact that companies and the market in general are not aware of the need to protect themselves and prevent attacks. Transference on an international level is complicated, since the sovereignty of countries in cybersecurity affects the transference process, not only in terms of military and intelligence aspects, but also in solutions in the civil sphere. The solution to the lack of transference has to take into account various elements: The carrying out of joint projects that have common interests both for science and the industry. Making the research capacity and potential of the Academic Sector known to the industry. Revision of the transference agents model, establishing the incentives that allow a real transference. Summary report Page 26 of 81

27 3.3.3 Results Figure 8: Results. The results reflect how the research & innovation ecosystem adds or subtracts value to or from the resources. In accordance with the analysis model proposed, there are four main result categories to generate: publications, patents, technological companies and reference, with the latter term being understood to mean the ecosystem s capacity to position itself as excellent and a reference within the scientific-technological panorama of cybersecurity. In general, the diversity of scientific-technological areas (despite many research groups being dedicated to areas related to cryptography) and the disconnection and lack of collaboration between research & innovation ecosystem agents, means that the results of the research are dispersed and do not have specific and defined strengths. As a result, the Spanish cybersecurity research & innovation ecosystem is not a reference at an international level in any scientific-technological area that includes cybersecurity (which does not imply that there is not reference at the individual level of researchers, universities, or research groups). The agents participating in the study perceive that the results of R&D+i in cybersecurity are poor. Perhaps the production of publications and patents are the elements that have the most volume, although the lack of applicability and transference to the market means that, in practice, these results are not transformed into financial value and do not reach the market. This low applicability may be due to various factors: Lack of specific research strategies with practical approaches for application. In the research system, there are no clear incentives for transference to the market and there is no defined an entrepreneurship model. Summary report Page 27 of 81

28 3.4 Cybersecurity research & innovation ecosystem relationship model In this section, an analysis of the relationship model is presented as dynamics, models, and collaborative relationships between the different cybersecurity research & innovation ecosystem agents. In order to achieve this, an illustrated vision of the agents participating in the initiative on the relationship dynamics in the ecosystem has been made. These visions will be complemented by an analysis of the main collaborative networks identified in our country. Lastly, due to its value as a source of best practices and inspiring experiences, an analysis of the main international networks is included. Appendix V COLLABORATIVE NETWORKS ANALYSED includes a list of the national and international collaborative networks Main national collaborative models or networks Generally, in Spain the collaboration culture is relatively poor, which is an initial limiting element for the development of cybersecurity R&D+i collaboration. As mentioned before, the research & innovation ecosystem is characterised by its amplitude, diversity, and disconnection, which makes it difficult to systematically identify the collaboration and relationship dynamics between its agents. The evidence available indicates that a relationship model collaboration between agents is on a one-off basis, without existing indications of global and comprehensive collaboration in the ecosystem. The agents participating in the initiative consider that in Spain, in comparison with other countries, R&D+i collaboration is low, mainly due to cultural aspects, added to the funding situation, which does not help the creation of collaboration ties through ecosystem agents carrying out joint projects. There is a certain mood of pessimism with regard to the existing collaboration models, since it is considered that they do not fulfil vitally important premises, such as showing a real commitment to R&D+i materialised in budgets, or establishing clear business objectives, that result in collaboration for the development of marketable solutions. Lastly, participants indicate the existence of collaboration in European R&D+i funding programmes (Horizon 2020 and previously, the Seventh Framework Programme). However, Spain s returns in these programmes are not in line with its capacities, and as such, it is necessary to continue working on the development of a proactive strategy to position Spain in Horizon 2020 and in the European Union organisations involved in designing the priorities of the aforementioned programme. Three main types of collaboration result from the analysis of the collaborative networks in Spain: Summary report Page 28 of 81

29 Collaboration between science (universities and research groups) and the industry, which are increasingly common but at a level that is lower than other sectors (perhaps because cybersecurity is an emerging sector), and it is more one-off than general 8. Many of these collaborations are organised in the context of funding programmes (mainly Horizon 2020), for the development of joint programmes. Collaboration between universities, with the A-4U Alliance being notable (strategic association between the Autonomous University of Barcelona, the Autonomous University of Madrid, Carlos III University of Madrid, and Pompeo Fabre University of Barcelona). The main goal of collaborative networks is to be a meeting point between the agents of the ecosystem to achieve a global and integrating vision. Most networks provide for public-private participation. However, there are also collaboration networks with members who belong exclusively to the private sector. As a general characterisation of the relationship models in our country, it can be concluded the following: Given the emerging nature of the cybersecurity sector in our country, the networks identified are relatively young (with the oldest being around ten years old). Most of the identified relationships focus on activities related to dissemination, training or the implementation of working groups with no detection of networks that exclusively focus on R&D+i. The networks identified are of a general nature (ICT security in general), without having a specific focus on the cybersecurity field. The most advanced networks are those linked to the industrial sector, which is clearly positioned as the sector that is most involved in cooperation. They have a marked institutional nature although they integrate all categories of agents of the ecosystem (Public Administrations, Academic Sector, the Industry, and R&D+i Support Organisations). They are non-profit entities (with the information available it is unable to identify their legal form), and they are open to all interested agents, but with not member admission criteria detected. 8 Specific examples of alliances have been identified, such as that of INDRA s Cybersecurity Chair and the Carlos III University of Madrid or the agreement signed by S21sec and the Institute of Forensic Sciences and Security of the Autonomous University of Madrid. Summary report Page 29 of 81

30 In general, they are networks funded through membership fees and sponsorship, with some being funded by the government. Lastly, it is necessary to highlight the important role of the one-off events that bring together the main agents of the ecosystem, which are excellent opportunities for them to network and develop the assets and advances in cybersecurity. In this regard, since it is a reference in the sector, the International Information Security Conference (ENISE) organised by INCIBE deserves a special mention, which is now in its eighth edition. Furthermore, INCIBE is currently organising an annual event, Cybercamp, whose objective is to attract talent in the sphere of cybersecurity through various technical tests and some online activities like cybersecurity challenges; the aim is therefore to bring together the best talent in this area, and have the participation of the best students in cybersecurity training programmes in Spain, as well as the best international talent Main international collaboration models or networks In the international sphere, the collaboration models and networks are at a more advanced stage than in Spain, mainly due to other countries more cooperative culture. The analysis of the networks is firstly organised around the European initiatives, and later main characteristics of the networks internationally are illustrated, focussing on the success stories of the United States and Israel European collaboration models or networks Many initiatives have been carried out in Europe seeking the ideas generation and pooling the different agents with an active role in cybersecurity. There are two main categories within these networks: Networks linked to the industry: These are led by the industry 9 but bring together members of the academic sector, R&D+i support organisations and consumer associations. Basically, these networks work to achieve the following objectives: o To increase competitiveness, building up innovative ideas to create business opportunities. o To develop a strategic agenda for R&D+i in Europe that is presented to the European Union, favouring alignment between its objectives and the main strategic lines established for R&D+i. o To promote the interoperability of technological solutions. 9 Networks consisting of European ICT companies, such as Gemalto, Microsoft, Nokia, Philips and companies linked to the energy sector, such as Alliander, E.ON, KPN and DNV KEMA. Summary report Page 30 of 81

31 Networks linked to the European Union, where the latter plays a role as a cohesive element and facilitator of collaboration in the public-private sphere. These networks are characterised by having a marked political and institutional character, integrating all the active agents in cybersecurity. The main objectives of these networks is the exchange of information and the creation of best practices Other international collaboration models or networks The long history of the leading countries in cybersecurity (the United States and Israel), linked to the awareness and involvement of their authorities in the development of these types of networks, has contributed to the existence of very solid networks in these countries. The role of the United States as a worldwide reference is highlighted, since it approaches collaboration from a comprehensive perspective. There are two main types of network: those led by governmental organisations and sectorial networks (led by the industry and participated in by the administration); both include amongst their members the main reference companies in the sector, and accept any type of agent who works directly or indirectly in the sphere of the network s activity. The services offered are usually aimed at the dissemination of information, advice, and training. These networks are aimed at boosting R&D+i, placing special focus on strategic elements in the case of governmental networks, and establishing demands for cybersecurity in the case of sectorial networks. Sectorial networks are usually aimed at the industrial and energy sector, and include the main interests of the industry to conduct them through R&D. Lastly, it is necessary to highlight the many international cybersecurity events that have taken place to improve the networking between agents of the international ecosystem, and promote new collaborations. 3.5 Factors limiting cybersecurity R&D+i competitiveness This section discusses the weaknesses and obstacles detected in relation to cybersecurity R&D+i, which constitute, along with the other conclusions, the base from which the ecosystem s SWOT (presented in the following section) will be created. To facilitate comprehension, these elements have been organised into two main groups: General and structural weaknesses and obstacles. These are not specific cybersecurity elements, but rather general elements that mainly affect the foundations of the economy and society. With regard to this initiative, we principally include the deficiencies of the Spanish Science and Technology Systems and of the (mainly collaborative and entrepreneurial) culture of our country. Summary report Page 31 of 81

32 Specific cybersecurity weaknesses and obstacles, which, although they can be reproduced in other areas, are more specific General and structural weaknesses and obstacles Complex environment to perform R&D+i in Spain, due to major cuts in funding in the Science and Technology System, which affects not only the execution of R&D+i projects, but also the hiring of research personnel. The Science and Technology System provides opportunities to improve the research incentives. The precariousness of the Science and Technology System s budget does not contribute to making research a professional option. Disconnection between science and business. Very inadequate research results transference system, which requires a review by the agents involved in this work. Transference complexity at an international level, particularly in cybersecurity solutions related to government defence and intelligence. Risk aversion culture, which hinders entrepreneurship Specific cybersecurity weaknesses and obstacles General context. Lack of public data and statistics to allow a comprehensive and structured analysis and assessment to be carried out on cybersecurity in Spain. Cultural context. Low cybersecurity culture, both in the Administration itself and in companies and the general public, which limits the demand and development of solutions by the industry. Strategic context The Spanish cybersecurity strategies are established as a State priority. However, it is necessary to ground these proposals in specific actions, priorities, and focal points. Lack of a specific cybersecurity R&D+i programme. Regulation context. Regulation developments, some elements of which are still in their infancy, must be driven forward as an aspect that catalyses the demand for solutions and development in this area. Summary report Page 32 of 81

33 Financial context Cuts to funding in the Science and Technology System that affect cybersecurity. Lower R&D+i investment levels than in other European countries and lower than leaders in cybersecurity, which puts our country at a clear disadvantage, while it hinders the competitiveness of the sector in the medium and long term. Market. Small cybersecurity market size in Spain due to the low demand for solutions, both from companies and from the Administration, with the latter being an important agent for driving forward solutions in this area. Ecosystem characterisation Conclusions Spain does not have a clear positioning in the international cybersecurity scene, and it is behind the leading countries and many reference European countries (the United Kingdom, France, Germany, and the Netherlands). Extensive, diverse, fragmented, and disconnected ecosystem, without clear relationship dynamics between its agents, no specific focal point, and low levels of collaboration. A wide potential for use and development of capacities through collaboration and the generation of synergies between agents. Poor collaboration between the Academic Sector and the industry. Complexity of transference on an international level, particularly in terms of cybersecurity solutions related to defence and intelligence. Poor results and assessment of results of cybersecurity R&D+i in Spain. Brain drain to other countries with better opportunities and remuneration. Training processes that should be reviewed to adapt to the needs of the market. When carrying out an assessment of the limiting factors in accordance with their impact, it can be observed that many of these factors have a high impact on the competitiveness of cybersecurity R&D+i, particularly those relating to: Socioeconomic context, such as funding cuts, the lack of operational strategies or specific R&D+i plans, and cultural aspects related to cybersecurity. Summary report Page 33 of 81

34 Poor results and assessment of R&D+i. International positioning and the small size of the domestic market. Talent limitations, since it is leaving Spain or the lack of alignment between the existing profiles and the demand for them by the industry. Nature Limiting Factor Impact General/Specific General/Specific Specific Specific Specific Specific Specific Specific Specific Specific Specific Specific Structural Structural Structural Structural Specific Specific Specific Funding cuts, which limit the execution of R&D+i projects. Funding cuts, which limit the hiring and attraction of research talent. R&D+i investment levels that are lower than in other European countries or those of cybersecurity leaders. A low cybersecurity culture. A cybersecurity strategy that is not specific or operational. Lack of a specific cybersecurity R&D+i plan. Poor cybersecurity R&D+i results. Poor assessment of R&D+i results. Weak positioning of Spain in cybersecurity on an international level. Small cybersecurity market size in Spain (low demand for cybersecurity solutions). Brain drain to other locations. Training processes that are not adapted to the needs of the market. Disconnection between science and business. Low culture of cooperation. Inefficient research results transference system. Risk averse culture. Lack of public data and statistics. Regulation developments in their infancy Complexity of transference on an international level. Table 1- Assessment of the impact of limiting factors identified in terms of competitiveness As secondary aspects, with a lower impact on competitiveness, highlight the emerging nature of cybersecurity as an industry (with the resulting lack of regulatory development), the difficulty of accessing data to characterise cybersecurity, and the difficulty of carrying out international transference. Lastly, there are structural limiting factors in the Science and Technology System that hinder the development of R&D+i in general, such as the traditional disconnection between science and business (exacerbated by inefficient research results transference) Summary report Page 34 of 81

35 or the existence of a poor culture of collaboration, which prevents the potential and synergies existing in the ecosystem from being developed. 3.6 SWOT analysis of the cybersecurity research & innovation ecosystem In this section, the internal and external analysis of the cybersecurity research & innovation ecosystem is presented, materialised through the SWOT (Strengths, Weaknesses, Opportunities, and Threats) technique. Strength is Spain s competitive capacity, which gives the cybersecurity research & innovation ecosystem an advantage. Weakness are the qualities that the cybersecurity research & innovation ecosystem has but it is not capable to manage and places the ecosystem at a competitive disadvantage. Opportunity is a favourable characteristic resulting from the effective use of strengths to improve the positioning of the ecosystem. Threat is defined as an external competitor, event, or force that works against the ecosystem s positioning. Before presenting the SWOT analysis, it is necessary to highlight a series of specific initial premises and conditions of cybersecurity that are, therefore, an intrinsic part of the dynamics to which the research & innovation ecosystem is subject: A changing sector, both due to the continuous advance of cyber threats and the evolution of the technology itself. An industry with high fragmentation (large companies vs. niche companies) showing a high trend towards concentration. A strong requirement for specialised talent who require a long period of training and certain maturity in the exercising of the profession. Heavy investment in infrastructure is not required to carry out cybersecurity R&D+i activities. The SWOT analysis is displayed below: Summary report Page 35 of 81

36 Summary report Page 36 of 81

37 3.7 Action plan for the increase in the cybersecurity research & innovation ecosystem s competitiveness In this section, we present the actions identified to promote the research, technological development, and innovation in cybersecurity. The base for identifying these actions are two main elements already illustrated in this document: On the one hand, the [Factors limiting cybersecurity R&D+i competitiveness], which must be addressed through actions that allow their mitigation. On the other hand, the [SWOT analysis of the cybersecurity ]. Using this analysis, a series of actions aimed at the following were identified: o Correcting weaknesses. Conversion strategies. o Addressing threats. Defensive strategies. o Maintaining strengths. Strategies for maintaining competitive advantages. o Exploiting opportunities. Strategies for strengthening. Summary report Page 37 of 81

38 Figure 9: CAME actions definition matrix. Below, we display each of the actions defined, placed in their corresponding strategy category, with an assessment of the degree of impact and the difficulty of implementation (high, medium, low). Lastly, we indicate which actions are (fully or partially) within the scope of the network: Summary report Page 38 of 81

39 Figure 10: Characterisation of the actions. The characterisation of the actions shows that most are included within the conversion strategies focused on correcting weaknesses, some of which are structural weaknesses of the Science and Technology System. In turn, these actions can have an active role in defensive strategies (actions to address the existing threats), since in many cases the threats identified are the result of weaknesses in the cybersecurity research & innovation ecosystem. The results of this characterisation are shown on a positioning matrix, which will allow the positioning of each action to be identified, in the form of a user-friendly graphic. Summary report Page 39 of 81

40 Figure 11: Matrix prioritising the actions of the Action Plan. As can be observed in the matrix, in line with the impact and the difficulty of implementation, the actions can be organised into four main groups: Actions for immediate application: These actions will be carried out in the short term, since their impact on the competitiveness of the ecosystem is high and the difficulty to implement them is low. Specifically, these are actions relating to the identification of common points of interest in the ecosystem and market needs for generating collaboration, as well as those relating to the definition of programmes for the acceleration of entrepreneurship. Actions for medium-term application: They can be carried out in the medium term, since the difficulty to implement them is medium. These actions are aimed at making the cybersecurity country strategy operational, identifying research focal points, identifying the existing assets and the needs of the industry, as well as the actions aimed at retaining talent. Long-term strategic actions: Despite the fact that carrying them out would have a high impact on competitiveness, they are difficult to implement. These actions relate to the increase in cybersecurity R&D+i funding, and the improved efficiency and results orientation of existing research support organisations. Summary report Page 40 of 81

41 Non-priority actions: Given their medium or low level of impact, they are not considered to be priorities. Summary report Page 41 of 81

42 4 OPPORTUNITY ANALYSIS AND SWOT OF THE CREATION OF A NETWORK OF EXCELLENCE ON CYBERSECURITY R&D+i In this section, we identify the factors that are opportunities for the creation of a network of excellence on cybersecurity R&D+i in Spain. 4.1 Opportunity Analysis Due to the lack of global collaboration models and networks specific to cybersecurity R&D+i, there is a clear opportunity for the creation of a network of centres of excellence in this area in Spain. This network can play a key role not only in bringing together and enhancing the capacities of the ecosystem, but also in improving Spain s positioning internationally. All agents participating in the study are in general agreement about the need to establish a network in Spain that pools all R&D+i resources. We consider that the network should have specific objectives, both in the long and short term, a clear orientation towards practicality, and a focus on R&D+i and transference, as well as identifying issues and opportunities and the channels for addressing them. It is relevant to highlight the importance of identifying the capacities and expertise of all agents of the ecosystem, as well as a common objective for all of its members, with an environment of trust being created to favour the creation of ideas, knowledge exchange, and the development of joint projects. 4.2 SWOT The SWOT analysis schematically illustrates the vision of the main participants in the study on the opportunity and feasibility with regard to the creation of a network of excellence on cybersecurity R&D+i in Spain. Summary report Page 42 of 81

43 Weaknesses Fragmented and disconnected ecosystem. There are no thematic focal points in cybersecurity (non-operational strategies and the lack of specific R&D+i plans for the sector). Public policies are not specific. Poor collaboration culture. Lack of alignment between Universities and Businesses. Poor coordination between Ministries and cybersecurity agents. Low talent retention level. Research personnel remuneration programmes offer little incentive to establishing a career in research. Threats Complex and changing environment, both in terms of threats and in technologies, which requires high flexibility and a high response capacity. Financial crisis, which has restricted both public and private funding. The heavy investment of other countries in cybersecurity puts the network at a disadvantage with respect to the networks of those countries in terms of its positioning in the global arena. Strengths Opportunities Research critical mass. Good professional and research talent. A certain level of excellence in the cybersecurity research system. Capacities of the ecosystem to perform R&D+i, both at the Academic Sector level and at an industry level. High awareness-raising activity in society with regard to cybersecurity by public sector agents. Absence of similar networks in Spain. Interest of the European Union in this initiative, which may be a good opportunity for positioning Spain. The ecosystem agents consider it as a need, which creates good willingness to participate. Cultural and educational opportunities in relation to entrepreneurship and the promotion of cybersecurity vocations. Room for improvement in the efficiency of the research results transference system. Much room for development in the research results market. Signs of improvement in the process of connection between universities and businesses, as well as in the collaboration between public and private agents. Extensive focus on cybersecurity in the European R&D+i promotion programme (Horizon 2020). Positioning of Spain in the community strategies and European objectives in cybersecurity R&D+i, both at country level and at agent level. The development and adopting of standards and processes for technical certification. Table 2 SWOT analysis on the creation of a network of excellence on cybersecurity R&D+i Summary report Page 43 of 81

44 5 NETWORK OF EXCELLENCE MODEL ALTERNATIVES The proposal of Network of Excellence model alternatives has been carried out taking into account the vision of the different agents participating in the study to outline the best possible network model for this particular case. According to those agents, the network model must comply with two initial premises: Participation of all types of agents in the ecosystem (Public Administrators, R&D+i Support Organisations, Cybersecurity Industry, and Academia). Allowing different collaboration models (public private, private private, public - public). The opinion is not unanimous with regard to the most appropriate network model: while some agents interviewed point to the suitability of an open model, the majority opinion, in which excellence is established as the standard term, indicates the need for a closed model. Additional considerations of the participating agents include the following elements: Importance of the presence of sectorial key players. Closed model (entry filters). o Selective and excellent core with the best in their field, and those with the greatest contribution potential (based on objective criteria). o Proven R&D+i ability. o Excellence, rigour, expertise. Only agents contributing with: capacities, competence, and potential. Very open models may have low activity and poor results. A mixed model would allow the whole ecosystem to participate and excellence to be created simultaneously. With respect to subnets (hubs), the agents indicate that: o They should not necessarily be constructed based on areas of knowledge. o They must have specific activities in accordance with needs. o Hubs must provide clear value. Summary report Page 44 of 81

45 Lastly, with regard to the leadership and coordination of the network, INCIBE is marked as a candidate if is able to maintain a role of non-intervening facilitator. Some additional considerations of the collective intelligence indicate: o There should be a network management model distributed and shared. o There should be connection between hubs. o The network must evolve by itself but be driven forward and supported by the administration (leadership from outside ). Keeping those considerations in mind, these are the different possible alternatives of the Network model: Figure 12 Network model alternatives Cross-disciplinary network: Focussed on many scientific-technological areas 10, it could bring together all (or some) of the agents of the ecosystem, seeking a horizontal connection between all of them 11. This category of network, given its open nature, could have a general activity (since it covers many scientific-technological areas). Consequentially, the results of this activity, would also be expected to be general in nature, making it impossible to generate critical mass and reference in specific areas. The mass participation of agents could lead to a certain inoperability, both in terms of decision-making and in operation. Specialised Network, which specialises in one or several scientific-technological areas, bringing together all (or some) of the R&D+i agents who specialise in this/these area/s. 10 Such as research, mobility, hardware, cyber-defence/cyber-attack, secure coding, and procedures and operations. 11 A total of 314 agents were identified: 20 Public Administrations, 110 research groups in 42 Universities, 3 Research Centres, 2 Technology Centres., 43 Research Results Transference Offices (OTRI), 8 Business associations, 3 Certifying organisations and 125 companies (identified in the framework of the Study on the feasibility and opportunity of a cybersecurity technology centre and its strategic integrating plan project). Summary report Page 45 of 81

46 This model seeks a vertical connection between agents, which work in their area of specialisation, thus allowing a clear focus and its efforts and resources to be concentrated. Driver hub network: A variant of the specialised network model, this model consists of specialised hubs: The philosophy of the hubs is to focus on the cybersecurity excellence. Its members will be the best in their field, guaranteeing a maximum contribution to the value of the ecosystem. As such, only agents who are reference and excellent in the area of specialisation of each hub may be members. Hubs will be interconnected, and will consist of a node framework which, in the form of a large network, connects different parts of the ecosystem, creating an excellent global critical mass. Two types of hubs can be identified: o Skilled hubs in scientific-technological areas and sectorial areas, for applications of cybersecurity, etc. o General or cross-disciplinary hubs, such as entrepreneurship, funding, etc. The creation of hubs (particularly with regard to subjects), their development, and evolution will to a large extent depend on the evolution of the ecosystem, its agents, and the priorities and activities that are determined to be essential in the network. These types of networks allow a focus on excellence, although, in the context of cybersecurity, it may require time, since it will be necessary to determine what are the most excellent or strategic subjects or areas on which to develop the hubs, a decision that must be agreed with the ecosystem, always under the paradigm of excellence. Mixed Network (cross-disciplinary hub). This is a hybrid model that combines the crossdisciplinary network with the driver hub network. This allows the whole ecosystem to be brought together through the cross-disciplinary part while simultaneously considering excellent agents through specific thematic hubs. This combines the advantages and the qualities of the cross-disciplinary and hub models, while discarding the disadvantages of the cross-disciplinary network through the focal points established in the hubs. 5.1 Multicriteria assessment of the Excellence network model alternatives Each of the alternatives has advantages and disadvantages, which will be the basis for prioritising alternatives and supporting the final decision on the future Network model: Summary report Page 46 of 81

47 Figure 13 Assessment of the excellence network model alternatives 5.2 Presentation and validation of alternatives with the interested parties Using the collective thinking exercise, It has been validated the main findings and alternatives of the network model with a small group of agents (Focus Group), and concluded that the most suitable model is the mixed model that contains a general part and a specialised part formed by driver hubs. The cross-disciplinary part could bring together all agents that want to participate. This is the part of the network that could be in charge of collaborating in the drawing up of the cybersecurity R&D+i Strategic Plan/Spanish Cybersecurity R&D+i Agenda and other national strategic documents. The hub part would be a closed model that would only integrate the best into each hub (there would be entry and retention criteria for access to each hub, and as such, an agent that no longer complies with the retention conditions should leave the hub). Summary report Page 47 of 81

48 According to INCIBE, the network is designed as a Network of Excellent Agents that provides services to the whole ecosystem where the big helps the small ; as such, the group of excellent agents (members with a decision-making capacity) may provide services to the whole community (of non-excellent agents/associates, which do not have a decision-making capacity), obtaining an ecosystem that gradually achieves greater levels of excellence. NOTE: It should be highlighted that the network model selected (mixed model) had a high level of consensus amongst the participating agents, although it could be subject to modifications during the development and defining of the Network. Summary report Page 48 of 81

49 6 MODELLING THE NETWORK In line with the collaborative approach that has been maintained throughout all of the activities carried out in the framework of this initiative, the strategic modelling was carried out using the elements identified during the collective thinking exercise. These elements were validated with a small group of agents (Focus Group), and constitute the approach to the strategic modelling described in this section. However, this initial approach must be grounded and implemented in a Strategic Network Plan, which will establish the foundations for the operation of the network over the coming years. This plan, once prepared, should be widely backed by the research & innovation ecosystem agents. Lastly, both the strategic modelling and the Strategic Network Plan should be aligned with the results of the Study on the feasibility and opportunity of a Cybersecurity Cluster in Spain and its strategic integrating plan, with the aim of using the synergies and complementarities between the two initiatives. As a starting point, the main results of the collective intelligence of the ecosystem agents and of INCIBE s vision in relation to the network s strategic modelling are displayed. In general, the agents participating in the study are really interested about the creation of a network and participation in it, while recognising the complexity in the design and implementation of an initiative of this kind. The following aspects must be taken into account: o Pooling of R&D+i resources (country-positioning), including the reuse of existing initiatives and networks to achieve synergies (connecting link: INCIBE). o The network must not only state its intent. o High-level leadership. o Incentives and real commitment (budget). o International connection. With respect to the objectives, the agents indicate: o General and common objectives, not individual. Summary report Page 49 of 81

50 o A focus on specific objectives, avoiding dispersal. A focus on R&D and transference (bring products to the market) in the medium and long term, and on the creation and development of R&D+i projects. o Global approach (no regionalism) and business approach (focus on results). o Mark the direction: identify needs and provide a solution. o Practical collaboration, that goes beyond hollow agreements. o Collaborate in the definition of the cybersecurity strategy through a Strategic cybersecurity R&D+i Plan or a Spanish cybersecurity R&D+i Agenda. o Training: align the training needs with the industry: definition of the profile of the cybersecurity professional. Services to be offered by the network: o Focus on R&D and transference. o Model based on specific and practical projects and challenges. o Funding of excellent proposals, demanding requisites in the selection process. o Specific R&D programme (National Plan or other mechanisms). o H2020 type approach: proposals and an expert panel to design work plans on each subject. o Early-adopters panel to design strands of work and solve market problems. o Ideas factory to be materialized in consortiums and joint collaboration. o Minimum infrastructure (access to H2020, administrative support, etc.). o Technological monitoring is not necessary. o Avoid dilutions in networking, lobbying and pooling without specific objectives. o Transference and flow between agents and individuals. o Talent (professional and research) attraction. o Training. Summary report Page 50 of 81

51 o Permanent meetings. o Knowledge exchange. According to INCIBE, the network should be characterised by: Being focussed on R&D+i results to be transferred to the industry. Focus on excellence in R&D+i. o Focus on the detection, attraction, retention, and promotion of research professionals. o The differentiating value of the network. Capacity to influence in the European Union (through the presence of INCIBE in European working groups). o Development of resources to address the needs of the industry. o The network must have a marked commercial focus (not focused on theoretical research). In relation to the services that the network can offer, INCIBE highlights: o The execution of differential projects. o The certification of service providers (consultancy, technological enhancement, etc.) o Studies/Prospective studies: trends, annual studies, etc. o Competitive intelligence. o The certification of research groups. o The network will not fund projects, but rather, it will provide access to funding o Provision of resources to the ecosystem (infrastructure, databases, etc.). o Provision of funds for disruptive ( non-feasible ) projects that provide guarantees to entrepreneurs. INCIBE considers that the network must be self-sustaining (it will be supported when it is launched, but it must subsequently be independent through agreements or other actions). It is therefore necessary to define how to return the results of the funding/investment in the network. Summary report Page 51 of 81

52 6.1 Strategic formulation of the network The strategic formulation of the network has been prepared based on the Balance Score Card methodology, allowing to define the strategy from a global point of view (mission, vision, and values) and making it operational in strategic objectives, lines of action and measures. Figure 14: Network strategic formulation process. Each of these elements has undergone a validation, implementation, and consensus process with a group of agents of the ecosystem (Focus Group session) Mission, vision, and values Mission The mission of the network of excellence will be guided by the following key aspects: Competitiveness. Development and use of capacities and resources. Development of solutions for the market. Transference. Excellence in R&D+i. Contribution to cooperation and collaboration between agents, bringing together the research & innovation ecosystem. Agents participating in the study highlight the appropriateness of including the word excellence in the name of the network, given that it facilitates the fund attraction process Summary report Page 52 of 81

53 and the network s positioning. Likewise, excellence must not only be focussed on science, but also, at bringing solutions to the market. With regard to the R&D+i concept, they specify that research does not only include applied research, but also basic research, which is clearly necessary in cybersecurity. Some approaches to the cybersecurity R&D+i Centres of Excellence network mission could be: 1. Development of the excellent research resources of cybersecurity R&D+i in Spain, achieving the development of solutions that respond to the needs of the market, improving the sector s competitiveness, and combining efforts to overcome the fragmentation existing. 2. Boosting cybersecurity R&D+i through the pooling of the excellent resources of the ecosystem to drive forward cybersecurity in Spain and achieve the transference of the results of the research to the market. 3. Identify the ecosystem s needs and priorities and define and use the ecosystem s capacities Vision The vision of the Network of Excellence should be focused into achieving positioning in the international ecosystem. The study participants consider this something fundamental to go beyond Spanish borders and provide the network with an international dimension (Europe and other regions) and propose that a Plan be developed for the development of institutional relations with international agents. Possible alternatives to the definition of the network s vision are as follows: 1. Position Spain as a reference in cybersecurity on the international stage. 2. Position the cybersecurity research & innovation ecosystem within the global arena as a competitive ecosystem, with high levels of transference and technological value and a high degree of collaboration and connection between its agents Values Excellence, practicality, rigour, transparency 12, trust, team spirit, and an international dimension. 12 Need for the existence of different levels of transparency and confidentiality within the network. Summary report Page 53 of 81

54 6.1.2 Strategic objectives, action lines, and measures The strategic objectives, action lines, and measures of the network must be fully in line with the mission, vision, and values, since they constitute the grounding and implementation of them. The objectives finally identified (agreed with the agents of the ecosystem that attended the Focus Group sessions) are: 1. To position cybersecurity R&D+i on a European and international level. 2. To develop innovative solutions through R&D+i. 3. To boost technological transference from research to the market in collaboration with the Cybersecurity Cluster in Spain. 4. Identify, attract, generate, and retain the talent of professionals in cybersecurity on a national level. The strategic objectives are outlined in action lines and measures that implement the specific activities to be performed by the Network. NOTE: The action lines and measures or specific activities to be carried out by the network are, on the date that this document is drafted, subject of debate and consensus between those collaborating on this initiative. Since it is an ongoing process, there may be changes to these action lines and measures; APPENDIX II STRATEGIC LINES OF ACTION AND MEASURES has a more detailed description of these action lines and measures. Generally speaking, different categories of measures have been identified: Studies and prospective studies that help to clarify important aspects that may guide future specific initiatives. Holding of specific events that can be used as a showcase in which both the network in particular and the ecosystem in general can display the Spanish ecosystem s capacities in this area. Awards for research of excellence. Communication, dissemination, and institutional relations to establish the relationship strategy and position the ecosystem s network both nationally and in Europe. Detection of excellent and high-potential research ideas/projects, designing a mechanism for their assessment and development in R&D+i projects. Summary report Page 54 of 81

55 A catalogue or repositories with the research available and its associated exploitation rights, to facilitate its commercialisation. Administrative support for project management, putting the ecosystem agents in contact and supporting the R&D+i projects proposal preparation phase. 6.2 Strategic alignment with the Cybersecurity Cluster in Spain project The initiatives that INCIBE is carrying out in cybersecurity must be connected, coordinated, and synchronised to take advantage of the synergies and economies of scale. In this regard, we can highlight the close relationship between the Network of Excellence on cybersecurity R&D+i and the Cybersecurity Cluster in Spain initiative. In this section, we broadly describe the main points of intersection and synergies between the two initiatives; however, since both are undergoing development, the coordination must be dynamic and constant over time. The strategic objective of the network of excellence 1. Positioning cybersecurity R&D+i on a European and international level must be participated by the relevant agents of the Cluster s industry, such that the positioning may consider an extended view of the industry s needs, and the latter may be properly reflected in the cybersecurity strategies. The strategic objective of the Network of Excellence 4. Identifying, attracting, generating, and retaining the talent of cybersecurity professionals at a national level is also a focal point of the Cybersecurity Cluster in Spain, and as such, both initiatives must place special focus on coordination and cooperation in this sphere. With regard to training, the Network of Excellence, during the collective validation of the strategic objectives and measures, discarded the direct implementation of training actions, since they are provided by other ecosystem agents. Instead, it was agreed that the network must play an active role in the detection of training needs. In the case that the Cluster in the end decided to implement training actions, they should be closely coordinated and provided with the needs detected by the Network. Actions linked to entrepreneurship. During the validation of the network s objectives with the ecosystem agents, it was agreed that should be led and coordinated by the Cybersecurity Cluster in Spain. The network must work closely with the Cluster with regard to everything related to the strategic objective of the network. 3. Boost the technological transference from research to the market in collaboration with the Cybersecurity Cluster in Spain. For specific measures relating to the development of projects (search and selection of research results for their transference to the market), it is necessary Summary report Page 55 of 81

56 to highlight the extensive possibilities for collaboration between the two initiatives, such that the network can perform the first filters (select ideas with potential, carry out a technological validation) with the support of the Cluster to perform the business validation. In the measures related to networking, events, and other positioning actions, both initiatives must analyse the measures to be executed, seeking synergies and even the possibility of the joint holding of these types of activities. Lastly, it will be highly recommended that all measures to be implemented by the Network in terms of studies and analysis be coordinated with the Cybersecurity Cluster in Spain in all cases in which these studies have an impact on or are related to the cybersecurity industry. Summary report Page 56 of 81

57 7 ACTION PLAN: SHORT-, MEDIUM-, AND LONG-TERM ACTIONS ROADMAP The action Plan for the implementation of the network consists of four main phases. Phases 0 and 1 will be carried out during the first year of the network (2015), such that at the end of this year, the network will have begun its activities. From 2016, the network will go into full operation. Below, we illustrate the phases of the Action Plan, as well as the activities to be carried out in each of them: Figure 15: Action Plan Phases. The network s Strategic Plan is the main axis of activity, establishing strategic objectives, action lines, and measures to execute. It should be highlighted that the measures of this plan, which are currently being defined, will be implemented over two years (2015 and 2016). From 2017, the Strategic Plan must be reviewed, in order to define the new actions to be executed in the framework of the strategy. 7.1 Phase 0: Collaborative definition This phase constitutes the process of collaboration and participation with the ecosystem for the definition, consensus, and support of the key subjects of the network. The following key premises has been agreed: The suitability of a mixed network, with a cross-disciplinary part and another consisting of specialised hubs. Summary report Page 57 of 81

58 The participation in the network of all types of agents existing in the ecosystem (science, administration, industry, R&D+i support agents). The need to establish entry and exit criteria, based on excellence, for the members in the specialised hubs. The appropriateness of creating a strategic cybersecurity R&D+i Plan. Name of the network. Strategic formulation. Mission, vision, and values, strategic objectives, action lines, and measures to be carried out in Services or activities to implement. Sustainability model, namely the sources of income, as well as financing needs. It will be necessary to continue thinking about this issue in the future, given its complexity. Participation and expansion model: definition of member entry and exit criteria, both in its cross-disciplinary part and in its hub part. It will be necessary to continue thinking about this issue in the future, given its complexity. 7.2 Phase 1: Starting the pilot programme The activities to carry out during this phase will be a starting point for beginning activities and they will be implemented in the network s Strategic Plan for During this phase, INCIBE will act as coordinator. The aforementioned Strategic Plan will consider two main types of actions: Implementation of the measures to execute in Network creation activities in terms of its legal and operational aspects: o Constitution of the legal form. o Government model. This activity will include the selection of the members of the executive committee, the constitution of government bodies and the formal drafting of the Network s Statutes. o Management model, through the definition of the Management Committee, its roles and functions, as well as the areas of activity of the network in the cross-disciplinary hub. Summary report Page 58 of 81

59 o Performance of other activities that are necessary for the implementation of the network, such as the preparation of physical and technological infrastructure. o Creation of the cross-disciplinary hub. 7.3 Phase 2: Deployment This phase, which will run throughout 2016, will be oriented to the expansion of the activity. On the one hand it will give continuity to the measures established in the Strategic Plan, which began in 2015 and on the other, it will define the thematic hubs of which the network will consist. With regard to the hubs, the following activities must be addressed: The priorities and strategic objectives of each hub, in line with the national and European cybersecurity strategies. With the strategic objectives of each of the hubs as starting point, measures to be executed and activity areas matching those objectives will be defined. The collaboration and cooperation model. The participation and expansion model (access and retention criteria). Lastly, in this phase, deployment of logical infrastructure will be continued, which began during phase 1 and network personnel will be recruited. 7.4 Phase 3: Stabilisation During this phase, the network will be stabilised and will be fully operational, both in the cross-disciplinary and hub parts. During this phase, it is not possible to anticipate the activities that may arise, apart from the daily operations and updating of the network s Strategic Plan, since this will be subject to the evolution of the network. 7.5 Cross-disciplinary phase: Management of the implementation The management of the implementation will be extended to all of the phases with the exception of the stabilisation phase and is aimed at providing the network with a model for the management, evaluation, and follow-up of the network strategy. To execute these activities, the creation of a strategic office is recommended, which will provide an overview of the network, beyond the execution of specific measures, contributing the methodologies, tools, techniques and the management model for supporting the strategy. This office will act on three levels: Summary report Page 59 of 81

60 Strategic management. From the network strategy defined for the next few years, the office will manage the execution of the strategic objectives. Tactical management, aimed at defining specific measures, their budget, and the associated resources. Operational management, aimed at the management, supervision and control of the measures to execute, as well as the activities to execute within each measure. It will also be aimed at executing activities that support the daily operation of the network. 7.6 Action Plan Schedule This section displays the general schedule of the Action Plan. Figure 16: General schedule of the Action Plan. Summary report Page 60 of 81

61 APPENDIX I STUDY PARTICIPANTS AI.1 INTERVIEWS Organisation/Institution/Company Person interviewed Position Agency of Business Innovation, Funding, and Carlos Escudero Internationalisation of Castilla y León Martínez Department Director Agency of Business Innovation, Funding, and Internationalisation of Castilla y León Javier García Díez N/A Innovative Business Association for Network Security and Information Systems Tomás Castro President Galician Innovation Agency Manuel Varela Rey Director Galician Innovation Agency Sonia Pazos Álvarez Director of the Centres Area Carnegie Mellon University (Software Engineering Institute - CERT Division) Robert C. Seacord Secure Coding Manager Industrial Cybersecurity Centre Samuel Linares Director National Centre of Excellence in Cybersecurity Álvaro Ortigosa Director CISCO David Fuertes N/A European Commission Directorate-General Programme Officer EU policies for Communications Networks, Content and Martin Muehleck at DG CNECT Technology Trust and Security Spanish National Research Council (CSIC) Luis Hernández Encinas Tenured Scientist CriptoLab. Cryptology Laboratory of the Polytechnic University of Madrid Jorge Dávila Muro Director IE Business School Peter Bryant Assistant Professor of Entrepreneurship Indra Jorge López Head of the Cybersecurity Hernández-Ardieta Research group Inixa Security Julio Rilo Director Spanish National Cybersecurity Institute (INCIBE) Ministry of Industry, Energy, and Tourism S21sec Raúl Riesco Granadino José Alemán Manager of Innovation and Talent in Operations Management Law Enforcement and Defence Line of Business Manager S2GRUPO Miguel Juan Managing Partner Tecnalia José Javier Larrañeta Head of the area of security in infrastructure Carlos III University Computer Security Lab Juan Manuel Estévez Tapiador Full University Professor University of Granada Pedro García Professor attached to the UGR Teodoro Cybersecurity Group University of Oviedo Santos González Jiménez Algebra Professor University of Vigo - Gradiant Fernando Pérez- González University of Vigo Professor University of Vigo - Gradiant Juan Ramón Postdoctoral Researcher at the Troncoso University of Vigo European University of Madrid Mª Teresa Villalba de Benito Full Professor/Researcher and Director of the University Master s in ICT Security Summary report Page 61 of 81

62 Organisation/Institution/Company Polytechnic University of Madrid AI.2 QUESTIONNAIRES Person interviewed Victor Villagrá Position Full Professor and Researcher in Management and Security of Telecommunication Networks and Services. Organisation/Institution/Company Person surveyed Position Innovative Business Association for Network Security and Information Systems Innovative Business Association for Network Security and Information Systems Association of Electronics, Information and Communications Technologies, Telecommunications and Digital Content Companies Association of Electronics, Information and Communications Technologies, Telecommunications and Digital Content Companies National Cybersecurity and Technological Expertise Association (ANCITE) Roberto Vidal Tomás Castro Aida Millán Javier Vendrell García José Luis Narbona President (and CEO of Xeridia) President Project Coordinator R&D Manager President Industrial Cybersecurity Centre Ignacio Paredes Head of Studies and Research National Centre for the Protection of Critical Infrastructure Centre for Industrial Technological Development Cartif Technological Centre CITIC Andalusian Innovation and Information and Communication Technologies Centre Spanish Confederation of Information and Communications Technologies and Electronics Spanish National Research Council (CSIC) Security Team for the Coordination of Emergencies in Telematic Networks (escert)- Polytechnic University of Catalonia Miguel Ángel Abad Maite Boyero Egido Mónica Antón Desireé Bellido Gloria Díaz Victor Antonio Gayoso Martínez Kenan Rhoton Head of the Cybersecurity Service Spanish delegate of Secure Societies and the national contact and of the H2020 Framework Programme Coordinator of International Projects Deputy Director Manager Doctor Collaborator Security Team for the Coordination of Manel Rodero N/A Summary report Page 62 of 81

63 Organisation/Institution/Company Person surveyed Position Emergencies in Telematic Networks (escert)- Polytechnic University of Catalonia Security Team for the Coordination of Emergencies in Telematic Networks (escert)- Polytechnic University of Catalonia Security Team for the Coordination of Emergencies in Telematic Networks (escert)- Polytechnic University of Catalonia Manuel García- Cervigón Gutiérrez Sandra Marsà N/A N/A Innovation 4 Security Rafael Ortega Director General Joint command of Cyber-defence of the Armed Forces-Chief of Staff of Defence Permanent observatory for cybersecurity of the World Federation of Scientists PANDA Carlos Gómez López de Medina Henning Wegener Salvador Sánchez Taboada Division general Director Cyber Defense Strategic Sales Director S21SEC Irene Eguinoa Research Manager Tecnalia Ana Ayerbe Director of the IT Competitiveness Business Area Telefónica Manuel Carpio Director of Information Security Autonomous University of Madrid Jorge E. López de Vergara Méndez Full University Professor University of Castilla La Mancha Francisco Ruiz Doctor Complutense University of Madrid- Analysis, Security, and Systems Group (GASS) University of Alcalá de Henares University of Alicante University of Alicante Luis Javier García Villalba Juan Ramón Velasco Pérez Antonio Zamora Gómez Francisco Maciá Pérez Director Professor Professor, Doctor and Director of the Cryptology and Computer Security group Vice Chancellor for Information Technology University of La Laguna Pino Caballero Gil Doctor University of Málaga José Mª Troya Linero Professor University of Mondragón University of Murcia University of Sevilla Roberto Uribeetxeberria Gregorio Martínez Pérez Rafael Martínez Gasca Research and Transference Coordinator University professor Full Professor Summary report Page 63 of 81

64 Organisation/Institution/Company Person surveyed Position University of Valladolid University of the Basque Country/Euskal Herriko Unibertsitatea University of the Basque Country/Euskal Herriko Unibertsitatea University of the Basque Country/Euskal Herriko Unibertsitatea University of the Basque Country/Euskal Herriko Unibertsitatea University of the Basque Country/Euskal Herriko Unibertsitatea European University of Madrid Helena Castán Lanaspa Alejandro Muñoz Mateos Begoña Blanco Jáuregui Eduardo Jacob Iñaki Goirizelaia José Luis Martín González Juan José Escribano Full Professor N/A Professor Professor Professor Professor of Electronic Technology Academic Director ITIA: Industrial, Aerospace Communications, and ICT area Polytechnic University of Madrid Ana Gómez Oliva University Professor Polytechnic University of Madrid Carlos Alberto Lopez Barreiro Professor Polytechnic University of Madrid Fernando Alonso Professor Polytechnic University of Madrid Julio Berrocal Doctor Public University of Navarra Autonomous University of Barcelona University of the Balearic Islands Open University of Catalonia Eduardo Magaña Lizarrondo Jaume Pujol Capdevila Guillem Femenias Nadal David Megías Jiménez Full Professor of Telematics Engineering (Automation and Computing Department) University School Professor Senior Researcher Doctor Polytechnic University of Catalonia Javier Herranz N/A Polytechnic University of Catalonia Jorge García Vidal N/A Polytechnic University of Catalonia Miguel Soriano N/A Polytechnic University of Valencia Carlos Miguel Tavares Calafate Full Professor Pompeu Fabra University Ángel Lozano N/A Rovira i Virgili University Josep Domingo- Ferrer Professor Summary report Page 64 of 81

65 AI.3 PARTICIPANTS IN THE FOCUS GROUPS AI.3.1 FIRST FOCUS GROUP LIST OF FOCUS GROUP 1 ATTENDEES ORGANISATION Agency of Business Innovation, Funding, and Internationalisation of Castilla y León (ADE) Innovative Business Association for Network Security and Information Systems (Cybersecurity AEI) Spanish National Research Council (CSIC) Indra Inixa Security S21sec S2GRUPO Carlos III University - Computer Security Lab (COSEC) University of Oviedo University of Vigo - Gradiant University of Vigo - Gradiant ATTENDEE Carlos Escudero Martínez Tomás Castro Luis Hernández Encinas Jorge López Hernández-Ardieta Julio Rilo Blanco José Alemán José M. Rosell Juan Manuel Estévez Tapiador Santos González Jiménez Fernando Pérez-González Juan Ramón Troncoso AI.3.2 SECOND FOCUS GROUP LIST OF FOCUS GROUP 2 ATTENDEES ORGANISATION Agency of Business Innovation, Funding, and Internationalisation of Castilla y León (ADE) Spanish National Research Council (CSIC) Indra Inixa Security Tecnalia S21sec S2GRUPO Tecnalia University of León University of Vigo - Gradiant University of Vigo - Gradiant Polytechnic University of Madrid ATTENDEE Carlos Escudero Martínez Luis Hernández Encinas Jorge López Hernández- Ardieta Julio Rilo Blanco José Javier Larrañeta José Alemán Miguel Juan Ana Ayerbe Miguel Carriegos Vieira Fernando Pérez-González Juan Troncoso Victor Villagrá Summary report Page 65 of 81

66 APPENDIX II STRATEGIC LINES OF ACTION AND MEASURES For each of the objectives or strategic areas identified, this appendix contains the lines of action and briefly describes the associated measures. The Strategic Plan for the network, once finished, will include further explanations and specifications for each of these measures. NOTE: The specific lines of action and measures or activities to be implemented by the network are, at the time of creating this document, subject of debate and consensus among those collaborating on this initiative. This document is susceptible to modifications given that it is a work in progress. The strategic formulation results in a total of 4 strategic objectives, 9 lines of action and 22 measures: MEASURES ASSOCIATED WITH THE STRATEGIC OBJECTIVES OF THE NETWORK STRATEGIC OBJECTIVE LINE OF ACTION MEASURE 1. Position cybersecurity R&D+i in Spain at the European and International levels L.1 Classification of the cybersecurity R&D+i sector in Spain and its position in the global context L.2 Development of a National Strategic Agenda regarding cybersecurity R&D+i M.1 Definition of a cybersecurity R&D+i knowledge map from a dual perspective: Large-scale perspective: General classification of the ecosystem, through activity dynamics, context and scope of action, which the ecosystem develops under. Small-scale perspective: Map of agents that provides information on each agent in the ecosystem regarding their capacities, knowledge, abilities, experience and potential in cybersecurity R&D+i material M.2 Analysis and diagnosis of obstacles and inhibitors (problems or challenges) as well as driving factors and social, technological, economic and regulatory incentives to encourage research in the field of cybersecurity R&D+i M.3 Detect problems and demands with no solutions in the market actually that affect endusers (public administrations, Defence, Law Enforcement agencies, strategic sectors, citizens) for the generation of R&D+i joint projects between the industry and science sectors It is worthwhile to mention the relevance of sophisticated demand (CERTs, Defence, Finance, etc.) whose unmet challenges represent opportunities and business models have high global potential. M.4 Identification of priorities in cybersecurity R&D+i research (focus points and R&D+i lines of action) Summary report Page 66 of 81

67 MEASURES ASSOCIATED WITH THE STRATEGIC OBJECTIVES OF THE NETWORK STRATEGIC OBJECTIVE LINE OF ACTION MEASURE M.5 Definition and proposal for the creation of network nodes of expertise based on the results of the Strategic Agenda. Review and alignment of the network of excellence s Strategic Plan (R&D+i / Transference / Internationalisation) in line with the Spanish and European Strategic Agendas regarding cybersecurity R&D+i L.3 Brand reputation and positioning strategies in the national and international cybersecurity ecosystems L.4 Innovation stimulus M.6 Definition of the Network P.R. Model and Communications Plan M.7 Plan for publications and participation in international conferences and platforms M.8 Support for implementing idea incubators and identification and resolution programs for challenges in cybersecurity (crowdsourcing and access to high market potential challenges -- identified by the sophisticated demand in cybersecurity) 2. Develop innovative L.5 Impulse and stimulus for solutions through R&D+i the development of R&D+i Projects based on the Strategic Agenda 3. Promote the transference of technology from research to market, in collaboration with the Cybersecurity Cluster in Spain L.6 Recognition of excellence in R&D+i L.7 Support enhancement and transference of technology in collaboration with Cybersecurity Cluster in Spain M.9 Act as a facilitator, mediator and catalyst in order to find ways to finance and support R&D+i projects M.10 Administrative support in project management Networking mechanisms and contacting with ecosystem agents, in addition to support and consulting during the preparation and improvement of proposals regarding calls for R&D+i competitive projects. M.11 Facilitate technological infrastructures to enable management and execution (remote laboratory) of R&D+i projects among participants on the Network, thus promoting an increase in activity and cooperation concerning cybersecurity R&D+i projects M.12 Awards for cybersecurity research excellence. Design of candidate evaluation and selection mechanisms, call for proposals for recognition, event celebration and communication campaigns M.13 Business project acceleration program (detection of excellent R&D+i results as well as results which have high potential for transference to market) in collaboration with the Cybersecurity Cluster in Spain M.14 Creation of a repository for the results of Cybersecurity national research with available research knowledge and its associated exploitation rights in order to facilitate the marketing and commercialization of that research Summary report Page 67 of 81

68 MEASURES ASSOCIATED WITH THE STRATEGIC OBJECTIVES OF THE NETWORK STRATEGIC OBJECTIVE LINE OF ACTION MEASURE 4. Identify, attract, generate and retain cybersecurity research talent at a national level L.8 Identification of needs for research talent promotion in cybersecurity L.9 Detection and review of mechanisms for talent retention M.15 Collaboration with the Cybersecurity Cluster in Spain for the creation of a catalogue of suppliers of technological appraisal and transference services that meet certain requirements demanded by the Network of excellence. A repository for ecosystem agents that need these services, guaranteeing access to suppliers who meet specific quality and solvency requirements M.16 Holding conferences/events for entrepreneurs (Pitch Elevator, Pitch To Market, etc.) Organization and celebration of the event as well as associated communication campaigns M.17 National cybersecurity R&D+i conferences A scientific meeting point in which the network in particular and the ecosystem in general can show their capacities both in the areas of knowledge and talent as well as in research results and potential transference to market. Synergy with other initiatives and Network of excellence measures M.18 Define the profile and abilities of the cybersecurity research professional Participatory process to determine the skills, capacities and basic abilities that the profile of the Network cybersecurity researcher should have, especially in the fields of R&D+i, training and the entrepreneurial profile. M.19 Differential analysis of cybersecurity training programs to meet needs for talent development in cybersecurity. Analysis of both curriculum needs (demanded profiles in both science and industry) as well as training requirements Collaboration with Administration - Science - Market M.20 Collaboration with other ecosystem agents in activities to promote, identify, recruit, attract and retain talent regarding cybersecurity professional opportunities. M.21 Talent recruitment/exchange within the ecosystem Identify and specify mechanisms for retaining, recruiting and exchanging research talent within and to the national ecosystem M22. Encourage and facilitate access to Network research talent by the Cybersecurity Cluster in Spain. Collaboration with industry research professionals for both cybersecurity solution development and innovative services. Summary report Page 68 of 81

69 APPENDIX III DOCUMENT SOURCES CONSULTED Agencia Española de Protección de Datos (AEPD) ( Agencia Europea de Defensa (EDA) ( Agencia Europea de la Seguridad de las Redes y la Información (ENISA) ( x_es.htm). Agenda Digital Europea. Unión Europea. Agenda Digital para España. 2013/2014. Ministerio de Industria, Energía y Turismo, Ministerio de Hacienda y Administraciones Públicas. Centro Criptológico Nacional (CCN) ( Centro de Ciberseguridad Industrial ( Centro de Excelencia para la Cooperación en Ciberdefensa (CCDCOE) ( Centro Nacional de Inteligencia (CNI) ( Centro Nacional para la Protección de las Infraestructuras Críticas (CNPIC) ( Centro para el Desarrollo Tecnológico Industrial (CDTI) ( Cibersecurity Coordination Group (CSCG) ( security.aspx). Ciberseguridad en España: una propuesta para su gestión. Enrique Fojón Chamorro y Ángel F. Sanz Villalba. Real Instituto ElCano. Comisión Europea ( Competitive analysis of the UK cyber security sector. 29 de julio de Pierre Audoin Consultants. Congreso Cybercamp 2014 ( Cybercamp ( Summary report Page 69 of 81

70 Cybercrime Centres of Excellence Network for Training Research and Education ( Cybersecurity policy making at a turning point, Analysing a new generation of national cybersecurity strategies for the Internet economy Organización para la Cooperación y el Desarrollo Económico (OCDE). CyberTech Israel ( ENISA ( Estrategia de Seguridad Marítima Nacional Departamento de Seguridad Nacional, Presidencia del Gobierno. Estrategia de Seguridad Nacional Presidencia del Gobierno. Estrategia Española de Ciberseguridad Presidencia del Gobierno. Estrategia Europea de Ciberseguridad European Union Agency for Network and Information Security (ENISA). Estrategia Regional de Investigación e Innovación para una Especialización Inteligente. RIS3 de Castilla y León de abril de European Association for e-identity and Security EEMA ( European Network for Cybersecurity ( European Public Private Partnership for Resilience ( European Research Council (ERC) ( European Technology Platform on Industrial Safety ( Europol ( Grupo de Expertos de Alto Nivel de la Agenda Digital para España. Informe de recomendaciones del Grupo de Expertos de Alto Nivel para la Agenda Digital para España. 18 de junio de Guía rápida Horizonte Centro para el Desarrollo Tecnológico Industrial (CDTI). Horizon Work Programme Leadership in enabling and industrial technologies. Unión Europea. Summary report Page 70 of 81

71 Horizon Work Programme Leadership in enabling and industrial technologies. Information and Communication Technologies. Unión Europea. Horizon Work Programme Secure societies Protecting freedom and security of Europe and its citizens. Unión Europea. Horizonte 2020 ( IETF ( II Plan Autonómico de Investigación, Desarrollo y Transferencia de Conocimientos. Gobierno de Aragón. III Plan Riojano de I+D+i Gobierno de la Rioja. Information Technology Service Management Forum ( Informe anual Centro para el Desarrollo Tecnológico Industrial (CDTI). Informe SISE Análisis de las convocatorias del Plan Nacional correspondientes al año Ministerio de Ciencia e Innovación. Instituto Nacional de Ciberseguridad ( Interactive energy Roadmap ( Interpol ( INTERPOL World ( ISMS Forum Spain ( IV Plan Regional de Investigación Científica e Innovación Tecnológica Comunidad de Madrid. La ciberseguridad en la Unión Europea Henning Wegener-Instituto Español de Estudios Estratégicos. La nueva Ley de la Ciencia, la Tecnología y la Innovación. Aspectos relativos a la propiedad industrial e intelectual. Gonçalves Pereira. Cuatrecasas. Mando Conjunto de Ciberdefensa de las Fuerzas Armadas (MCCD) ( Mapa de ruta de la Ciberseguridad Industrial en España Centro de Ciberseguridad Industrial (CCI). Summary report Page 71 of 81

72 Ministerio de Defensa ( Ministerio de Economía y Competitividad ( Ministerio de Hacienda ( Ministerio de Industria ( Ministerio de Interior ( Ministerio de Presidencia ( MSP on ICT standardization ( Network and information Security Public-Private Platform ( Organización de Naciones Unidas (ONU) ( Organización del Tratado del Atlántico Norte (OTAN) ( Organización para la Cooperación y el Desarrollo Económico (OCDE) ( Organización para la Seguridad y la cooperación en Europa (OSCE) ( Parlamento Europeo ( Plan Andaluz de Investigación, Desarrollo e Innovación Junta de Andalucía. Plan Avanza 2 Ministerio de Industria, Turismo y Comercio; Secretaria de Estado de Telecomunicaciones y Sociedad de la Información. Plan de actuación 2013 del Plan Estatal de Investigación Científica, Técnica y de Innovación Plan de Ciencia Tecnología e Innovación Septiembre de Principado de Asturias. Plan de Ciencia, Tecnología e Innovación Illes Balears. Plan de Ciencia, Tecnología e Innovación Región de Murcia. Summary report Page 72 of 81

73 Plan de Confianza en el Ámbito Digital Ministerio de Industria, Energía y Turismo. Plan de Desarrollo e Innovación del Sector TIC Ministerio de Industria, Energía y Turismo. Plan de Innovación de Cantabria. Plan de Internacionalización de Empresas Tecnológicas. Junio Ministerio de Industria, Energía y Turismo. Plan de Investigación e Innovación Generalitat de Catalunya. Plan Estatal de Investigación Científica, Técnica y de Innovación Ministerio de Economía y competitividad. Plan Galego de Investigación, Innovación e Crecemento Xunta de Galicia. Plan General Estratégico de Ciencia y Tecnología Generalitat Valenciana. Plan Regional de Investigación Científica: Desarrollo Tecnológico e Innovación Castilla - La Mancha. Plataforma Tecnológica Española de Seguridad Industrial ( Plataforma Tecnológica Española de Tecnologías para Seguridad y Confianza ( Proyecto Fire ( Proyecto Forward ( Red Temática de Criptografía y Seguridad de la Información ( Servicio Europeo de Acción Exterior (EEAS) ( Syssec Network of Excellence ( The 2013 (ISC), Global Information Security Workforce Study. Frost & Sullivan. The National Energy Sector Cybersecurity Organization ( The Networking and Information Technology Research and Development Program ( Summary report Page 73 of 81

74 Trust In Digital Life ( V Plan Regional de Investigación, Desarrollo Tecnológico e Innovación Gobierno de Extremadura. Summary report Page 74 of 81

75 APPENDIX IV AGENTS OF THE CYBERSECURITY R&D+i ECOSYSTEM IN SPAIN This appendix displays a list of Spanish ecosystem agents identified during the course of this study, completing the section of the document [3.1 Map of Stakeholders & Agents]. Public Administrations Military organisations Ministry of Defence: Armed Forces Intelligence Centre (CIFAS) Ministry of Defence: Joint Command of Armed Forces Cyber-defence (MCCD) Civil organisations National Security Council: Committee Specialising in Maritime Security National Security Council: Situation Specialist Committee Ministry of the Economy and Competitiveness: Centre for Industrial Technological Development (CDTI) Ministry of Finance and Public Administrations Ministry of Industry, Energy, and Tourism: ENISA Ministry of Industry, Energy, and Tourism: Spanish National Cybersecurity Institute (INCIBE) Ministry of Justice: Spanish Data Protection Agency (AEPD) Ministry for the Presidency. National Intelligence Centre (CNI): National Cryptological Centre (CCN) Ministry of the Interior: National Centre for Critical Infrastructure Protection (CNPIC) Ministry of the Interior: State Security Bodies and Forces Other autonomous organisations: Autonomous Data Protection Agencies (Madrid, Catalonia and the Basque Country) Other autonomous organisations: Departments and Agencies competent in R&D+i Other autonomous organisations: Autonomous Security Bodies and Forces Academic Sector 42 universities (Universities registered by the Ministry of Education, Culture, and Sport that work in cybersecurityrelated disciplines) Summary report Page 75 of 81

76 Research group Cryptography and Information Security Research Group (GiCSI) Services and Networks Integration Group Telematic Services Engineering Group Group on Modern Heuristics for the Optimisation and Design of Communications Networks Electronic Engineering Group applied to Intelligent Spaces and Transport Information Engineering Research Unit Group of the Electronics and Systems Department High Performance Computing and Networking Digital System Lab Security Group of Information and Communications Technologies SoftLab Communications Services and Networks Identification Technologies University Group Analysis, Security, and Systems Group Formal Design and Analysis of Software Systems Cryptology and Computer Security Group Networks and Middleware Group Industrial IT and Computer Networks Applied IT Group Management IT Mobile Communications and Network Design Laboratory Alarcos Group Computer Networks and Architecture Security Research and Information Systems Auditing Group High Performance Architecture and Networks Prinia (Automation and IT Engineering Projects) Computer architecture and logical design Group Advanced Communications and Applied Telematics Engineering Research Group Telematics and Communications Cryptology Group Systems Engineering and Automation Group Information and communications systems Organisation and Use of Digital Content Supervision, control, and automation of Industrial Processes Organisation/Institution Spanish National Research Council Polytechnic University School of Mataró University of Alcalá de Henares Alfonso X El Sabio University Autonomous University of Madrid Carlos III University of Madrid Complutense University of Madrid University of Alicante University of Almería University of Cantabria University of Castilla la Mancha University of Córdoba University of Extremadura University of Granada University of la Laguna University of la Rioja University of las Palmas de Gran Canaria University of León Summary report Page 76 of 81

77 Intelligent Management Systems Knowledge Engineering Flexible Information Systems Robotics Artificial Vision and Pattern Recognition Engineering of Manufacturing Processes Advanced Information Systems Software Engineering Group Information and Communications Technologies Application Group Telematics Group Communications and Signal Theory Architecture and Parallel Computing Intelligent Systems and Telematics Information and Communications Systems Innovation Centre Multimedia Distributions Systems Group Algebra, Encrypting, and Cryptography Group Communications and Signal Theory Group Communications and Software Engineering Group Web Engineering Group Services, New Technologies, and Regional Development Group Economic Modelling Statistical-Econometrics Techniques Group Telecommunications Research Thematic Association Cryptography, IT Security, and Auditing of Information Systems University Institute of Industrial Technology of Asturias Biomedicine, Intelligent IT Systems, and Educational Technology Group Cryptography, Information Security, and Discrete Mathematics QUIVIR Group Languages, IT Systems, and Computer Assisted Learning Team Communications Technology Group. Computer and Neural Networks Vision Group Discrete Events Systems Engineering Group Robotics, Perception and Real Time Group Group of Distributed Information Systems NQAS Group I2T Group Computer Networks Research Group in Applied Electronics DEUSTEK2 D4K - Deusto for Knowledge Intelligent Systems Research Group University of Málaga University of Mondragón University of Murcia University of Oviedo University of Salamanca University of Seville University of Vigo University of Zaragoza University of the Basque Country/Euskal Herriko Unibertsitatea Deusto University European University of Madrid Summary report Page 77 of 81

78 Mobile and Wireless Communications Technologies Systems Structure Systems and Software Engineering Analysis and Development of Electrical Energy Systems Division of Systems and Electronic Engineering Telematics Engineering Telematics Systems for the Information Society and Knowledge Group Cryptology laboratory Group Telecommunication and Internet Networks and Services Group Integrated Systems laboratory Group Information and Communications Technology Research Group Next Generation Internet Processes Improvement and Security Communications and Signal Automation Next Generation Internet Telecommunication and Internet Networks and Services Microwave Group Privacy and Security in Information Systems Group IT Systems Networks, Systems, and Telematics Services Group Group of the Information and Communications Engineering Department Communications and Distributed Systems Telematics Engineering Software Processes Improvement Group Security and Electronic Commerce Cryptography and Graphs K-ryptography and Information Security for Open Networks Privacy and IP Protection Network Security Group Networks of Computers and Distributed Systems Mathematics Applied to Cryptography Telematics Services Computer Networks Group INGENIO Wireless Communications Research Group in Telecommunications Technologies and Strategies Networks and Communications Research Group CRISES Group Miguel Hernández University of Elche National Distance Education University Polytechnic University of Cartagena Polytechnic University of Madrid Comillas Pontifical University Public University of Navarra Autonomous University of Barcelona University of Girona University of the Balearic Islands University of Lleida Open University of Catalonia Polytechnic University of Catalonia Polytechnic University of Valencia Pompeu Fabra University Rovira i Virgili University Summary report Page 78 of 81

79 Research Centres Research Centre for Technological Risk Management (CIGTR) Vicomtech-IK4 Research Centre Research Centre: Tecnalia Spanish National Research Council (CSIC) R&D+i Support Organisations Technological Centres: Gradiant Technological Centres: Tecnalia Research results transference offices (OTRI). An office has been inventoried in each of the 42 universities identified as universities related to cybersecurity. The OTRI Spanish National Research Council (CSIC) are added to the latter. Industry Business associations Cybersecurity AEI Innovative Business Groups (AEI) Spanish Association of Defence, Aeronautical and Space Technological Companies (TEDAE) National Association of Cybersecurity and Technological Expertise (ANCITE) Association for the Protection of Critical Infrastructure (APIC) Basque Information Security and Privacy Association (Pribatua) Spanish Confederation of Information and Communications Technology and Electronics Businesses (Conectic) No con Name Certifying organisations European Committee for Electrotechnical Standarization (CENELEC) European Committee for Standarization (CEN) European Telecommunications Standards Institute (ETSI) Summary report Page 79 of 81

80 APPENDIX V COLLABORATIVE NETWORKS ANALYSED This section provides a list of the collaborative networks analysed in this study: National collaborative networks o Spanish technological platform for security and trust (esec-ametic) o Spanish Technological Platform of Industrial Security (PESI) o Industrial Cybersecurity Centre (CCI) o ISMS Forum Spain o Cryptography and information security thematic network (Criptored) o Information Technology Service Management Forum (ISMF Forum) European collaborative networks o SysSec Network of Excellence o European Public Private Partnership for Resilience o Cybercrime Centres of Excellence Network for Training Research and Education o Trust in Digital Life o European Network for Cybersecurity International collaborative networks o The Networking and Information Technology Research and Development Program (NITRD) o The National Energy Sector Cybersecurity Organization (EnergySec) o Interactivity energy Roadmap (ieroadmap) o The Open Web Application Security Project (OWASP) Summary report Page 80 of 81

81