Author INCIBE. May 2015

Author

INCIBE

This study has been elaborated with the collaboration of several agents who represent the national cybersecurity research & innovation ecosystem. [Appendix I STUDY PARTICIPANTS] contains a complete list of the organisations and their representatives who collaborated in the study.

May 2015

This publication belongs to INCIBE (Spanish National Cybersecurity Institute) and is subject to a Creative Commons Attribution-NonCommercial 3.0 Spain licence. As such, the copying, distribution, and public communication of this study is permitted under the following conditions:

• Attribution. The content of this report may be fully or partially reproduced by third parties, provided that they cite its origin and make express reference to INCIBE or CERTSI and its website: http://www.incibe.es. This attribution shall, under no circumstance, indicate that INCIBE supports this third party or supports the use that it makes of its study.

• Non-commercial Use. The original material and the studies deriving therefrom may be distributed, copied, and exhibited, provided that their use is not for commercial purposes.

When re-using or distributing the study, the terms of the licence of this study must be made clear. Some of these terms may be waived if permission is obtained from CERTSI as the copyright owner. Complete licence text: http://creativecommons.org/licenses/by-nc-sa/3.0/es/

TABLE OF CONTENTS

1 BACKGROUND AND MOTIVATION ... 5

1.1 Context and study objective ... 5

1.2 Structure ... 6 1.3 Main conclusions ... 6 2 ANALYSIS FRAMEWORK ... 13 2.1 Analysis model ... 13 2.2 Methodology ... 13 2.3 Initial considerations ... 15

3 COMPETITIVE POSITIONING OF THE CYBERSECURITY RESEARCH & INNOVACION ECOSYSTEM ... 17

3.1 Map of Stakeholders & Agents ... 17

3.2 Analysis of the institutional, legal, and economic context ... 19

3.3 Characterisation of the cybersecurity research & innovation ecosystem ... 21

3.3.1 Resources ... 21

3.3.2 R&D+i value creation model ... 24

3.3.3 Results ... 27

3.4 Cybersecurity research & innovation ecosystem relationship model ... 28

3.4.1 Main national collaborative models or networks ... 28

3.4.2 Main international collaboration models or networks ... 30

3.5 Factors limiting cybersecurity R&D+i competitiveness ... 31

3.5.1 General and structural weaknesses and obstacles ... 32

3.5.2 Specific cybersecurity weaknesses and obstacles ... 32

3.5.3 Conclusions ... 33

3.6 SWOT analysis of the cybersecurity research & innovation ecosystem ... 35

3.7 Action plan for the increase in the cybersecurity research & innovation ecosystem’s competitiveness ... 37

4 OPPORTUNITY ANALYSIS AND SWOT OF THE CREATION OF A NETWORK of excellence ON CYBERSECURITY R&D+i ... 42

4.1 Opportunity Analysis... 42

4.2 SWOT... 42

5 NETWORK OF EXCELLENCE MODEL ALTERNATIVES ... 44

5.1 Multicriteria assessment of the Excellence network model alternatives ... 46

5.2 Presentation and validation of alternatives with the interested parties ... 47

6 MODELLING THE NETWORK ... 49

6.1 Strategic formulation of the network ... 52

6.1.1 Mission, vision, and values ... 52

6.1.2 Strategic objectives, action lines, and measures ... 54

6.2 Strategic alignment with the Cybersecurity Cluster in Spain project ... 55

7.1 Phase 0: Collaborative definition ... 57

7.2 Phase 1: Starting the pilot programme... 58

7.3 Phase 2: Deployment ... 59

7.4 Phase 3: Stabilisation ... 59

7.5 Cross-disciplinary phase: Management of the implementation ... 59

7.6 Action Plan Schedule ... 60

APPENDIX I STUDY PARTICIPANTS ... 61

AI.1 INTERVIEWS ... 61

AI.2 QUESTIONNAIRES ... 62

AI.3 PARTICIPANTS IN THE Focus GroupS ... 65

AI.3.1 FIRST Focus Group ... 65

AI.3.2 SECOND Focus Group ... 65

APPENDIX II STRATEGIC LINES OF ACTION AND MEASURES ... 66

APPENDIX III DOCUMENT SOURCES CONSULTED ... 69

APPENDIX IV AGENTS OF THE CYBERSECURITY R&D+i ECOSYSTEM IN SPAIN ... 75

1

BACKGROUND AND MOTIVATION

1.1

Context and study objective

The Spanish National Cybersecurity Institute (INCIBE) is an organisation dependent on the Ministry of Industry, Energy, and Tourism (MINETUR), through the State Department of Telecommunications and for the Information Society (SETSI), and it is the benchmark institution with regard to the development of cybersecurity, and of digital trust for the general public, for RedIRIS (the Spanish academic and research network), and for businesses, especially sectors of strategic importance..

In the framework of the Trust in the Digital Domain, which is part of the Digital Agenda for Spain, INCIBE has driven the elaboration of the “feasibility study and design of a network of centres of excellence in cybersecurity R&D+i”.

The objective of this study is to understand the context and dynamics through which cybersecurity R&D+i is conducted in Spain, in order to determine the suitability and relevance of the creation of a network of centres of excellence in cybersecurity R&D+i.

The future network would be aimed at overcoming the fragmentation of research, combining the critical mass of the best scientific and technological capacities, assets and talents, thus promoting an improvement in the competitiveness of the Spanish R&D+i cybersecurity ecosystem.

This document presents a summary of the main results obtained after the study has been carried out.

The study has been carried out with a participative, collaborative, and consensual approach.

The characterisation of an ecosystem such as the cybersecurity one, which is very complex and diverse, would not make sense without considering the vision, experience, and opinion of its agents, who really know the dynamics and capacities of the ecosystem itself, and its deficiencies, weaknesses, and issues. As such, the study has been carried out with the participation and “intelligence” of the ecosystem as its driving force.

A group of representative agents belonging to the four main types of organisations that form any ecosystem of this type, has collaborated in the study: Public Administration, Academia, R&D+i Support Organisations and Industry. These agents have contributed providing their vision on the current state of the ecosystem, and the issues and challenges that cybersecurity faces.

The study reflects the “global intelligence”, materialised in the visions and opinions with general consensus and majority backing from participants in the study. As such, the representativeness of the results obtained has been ensured.

This “Intelligence” has actively participated throughout the study, not only in the identification of the state of the art in cybersecurity R&D+i and the challenges that our country must address to improve its positioning, but also in the identification, validation, and agreed definition of the basic premises and the mission that should guide the creation of the future Network of Excellence, as well as the objectives that would be included in its agenda.

1.2

Structure

The contents of this document have been structured in accordance with the logic followed during the execution of the study:

Firstly, it is presented in an executive summary way, the main conclusions, in terms of positioning of the cybersecurity research & innovation ecosystem and the challenges that must be addressed, the feasibility of the creation of a Network of Excellence, and the strategic elements that should guide its creation and activity.

The [ANALYSIS FRAMEWORK] section illustrates the methodology that guided the preparation of the study. The main results of the analysis and assessment of the ecosystem, in terms of resources available, value production dynamics, and results obtained are displayed below. This analysis is complemented with the state of the art in terms of the collaboration dynamics and models present in the ecosystem.

As a result of that analysis and assessment, it is discussed the main constraints and challenges that the ecosystem must face to improve its competitiveness, as well as a proposed action plan to address this improvement.

This cybersecurity R&D+i ecosystem shaping allows to advance towards the next step, to determine the suitability and feasibility of establishing a Network of Excellence, promoting a leap forward in the value production and results of the ecosystem.

Main network model alternatives that respond to the challenges posed are presented, collaboratively considered to be the most feasible and suitable for the future network. The study concludes with the strategic characterisation of the network (mission, values and strategic goals) and an action plan for the implementation of its activities over the coming years.

As additional information, the study includes appendices detailing the study participants, the documentary sources consulted, a look at the map of R&D+i agents in cybersecurity in Spain, and the details of the collaborative models analysed.

1.3

Main conclusions

The opportunity: positioning Spanish R&D+i on the global stage

In general, and taking into account the limitations in terms of quantifying cybersecurity, it should be highlighted that Spain does not have a clear R&D+i positioning at an

international level, and it is not considered one of the “best in class” in any of the scientific-technological areas in which cybersecurity could be included1_.

Our country is behind other European countries, which is evidence of a major technological gap both in research and transference. The differentiating factors of the leading countries (the United States, Israel, and the United Kingdom) are policies and clear research focal points, as well as medium- and long-term investment in R&D+i, which allows the maturation necessary for obtaining returns. This gap also exists in Europe, where Spain is behind countries such as France, Germany, and the Netherlands.

In our ecosystem, a series of limitations explain this weak positioning and shape an environment that does not allow us to position ourselves amongst the world leaders in cybersecurity.

Many challenges ahead

Our ecosystem must overcome these limitations (challenges) and address the improvement of its competitiveness and results. These challenges, which are profoundly important and have a major impact, along with the dearth of networks and collaboration models in cybersecurity R&D+i, constitute an opportunity and explain the need to create

a Network of Excellence which, through the connection, pooling, and exploitation of

assets, responds to these challenges.

The network would undoubtedly play a key role in the future of the ecosystem, and it will allow the first steps to be taken towards a more cohesive and united ecosystem with greater synergy, resulting in higher levels of R&D+i.

Many of these challenges are related to the structural and circumstantial weaknesses of the Science and Technology System, which, in the last few years, have not accompanied the driving forwards of such a strategic and critical sector; on one hand, the financial crisis has resulted in a restriction of the budget appropriation in R&D+i, which has obviously affected cybersecurity; on the other hand, the structural weaknesses of the Science and Technology System and cultural factors (risk aversion, poor collaboration culture) slow down R&D+i in our country.

Likewise, there are also specific R&D+i challenges in cybersecurity, since many elements still need to be developed in our country. The State must establish a focus or a clear strategy with regard to the priorities from which R&D+i can be constructed, reverse the budgetary shortage trend, and develop a more extensive internal market, through a greater drive in the demand for cybersecurity solutions, mainly by the Public Administrations and the State.

1 _{In the framework of the study, the following have been identified as large groups of scientific-technological areas: research, mobility,} hardware, cyber-defence/cyber-attack, secure coding, and procedures/operations.

Making the most of the momentum created, and developing the ecosystem’s capacities to enter a new stage of cybersecurity in Spain

However, the major capacities of our country in R&D+i, the awareness that the ecosystem agents have about the need to tackle the challenges, along with a great willingness on the part of the latter to get involved on a new stage for R&D+i in cybersecurity, favour the ecosystem, since they are fuel that will allow a step to be taken towards a new stage. This willingness of the ecosystem to develop the new generation of cybersecurity must be accompanied by the changes and actions that the Public Administration, in its role as facilitator and promoter, must take without fail for this step forward to become a reality. Elements such as the development of strategies with specific focal points, the establishing of a specific R&D+i Agenda, positioning in the European Union, and the necessary development in regulations or certifications, are part of the contextual conditions that this change requires.

In addition, for a “winning solution”, it is necessary to take this challenge seriously, with clear commitments and well-defined budgets, far from theoretical proposals and statements of intent that do not produce tangible and real results.

A brief review of the state of the art of R&D+i in cybersecurity

The current R&D+i situation in cybersecurity will allow us to outline the challenges faced by the ecosystem, in which the network will play a key role.

A dynamic sector with many opportunities

The cybersecurity sector presents many opportunities, with some factors standing out, such as:

 The increase in the number, type and sophistication of the threats.

 The greater number of vulnerabilities, due to the increasingly widespread use of technology (particularly mobile technology and cloud solutions).

 A growing awareness of organisations and consumers about security risks.

 Regulations, which impose obligations regarding the protection of personal data, and information, and the infrastructure that supports it.

A regulatory framework that has taken the first steps, but which must set the focus points and priorities

Cybersecurity is a key issue on the Spanish governmental agenda; the Government of Spain aligns itself with the issues raised by the European Union (Cybersecurity Strategy of

the European Union), establishing a series of strategies with commitments regarding cybercrime, public administration security and cyber-defence2_.

Despite these strategies being an important step forward, they are high-level proposals that result in statements of intent which define the problem and provide general solutions, but they must be specific and well-grounded.

The absence of thematic focal points or priorities in these strategies is particularly remarkable. The agents taking part in the study consider that a clear development of R&D+i in cybersecurity is necessary, with a focus and funding, setting out the priorities and the “path” to follow, in order that the ecosystem may point in the direction established. Many agents who participated in the study are calling for the creation of a cybersecurity R&D+i - specific programme or agenda.

The legislation in force at the date of this study is marked by the development of specific regulatory aspects, although, as with the case of the strategies, there is still a long way to go. In the future, It should be expected the regulatory framework to become a much broader element as cybersecurity policies are created.

An ecosystem with a broad capacity to generate more value

Our ecosystem is broad and diverse, since it includes more than 300 agents (from science, industry, administration, and R&D+i support organisations). However, it is strongly fragmented and disconnected, since the relationship dynamics between its agents are more one-off than general and without a specific focus on its activity. In short, it is an ecosystem that does not use all of the potential synergies that collaboration, which probably means that it is operating far below its capacity.

R&D+i results are poor in terms of transference and applicability to the market. This means that many publications and patents do not become products or services that are applied in the market. The poor incentives of the Science and Technology System for transferring the results of research to the market is one of the main limiting factors for reversing this trend.

Transference-specialised agents (R&D+i Support Organisations) must lead the process of transference and commercialisation of the research results to the industry, promoting an in-depth review of the transference mechanisms and incentives.

However, and despite all of these limiting factors, it is a relatively young ecosystem with many assets, and therefore, there is a long journey ahead and much room for improvement in the exploitation and development of its capacities.

2 _{The National Cybersecurity Strategy (ECSN), part of the National Security Strategy (ESN), the Maritime Security Strategy, and also part} of the ESN, with specific action relating to maritime cybersecurity, and the Digital Agenda for Spain (inspired by the Digital Agenda for Europe) develop the Digital Trust Plan, implementing digital trust actions.

A poor financial framework for R&D+i

Spain is clearly weak in terms of funding, with investment levels that are lower than those of the leading countries3_{. There is therefore a loss of competitiveness in the industry and} in the research system, with a long-term impact, since the results of R&D+i returns are felt over a relatively long period of time.

Despite the R&D+i Strategy (2013-2016 Spanish National Plan for Scientific and Technical Research and Innovation) mentioning cybersecurity as a thematic priority, its scope is not specified in terms of budgetary resources, and it is considered to have “limited funding”. The private sector has also shown signs of budgetary restriction as a result of the financial crisis, with major cuts in R&D+i investment.

Lastly, the lack of traction from the Administration, not only regarding the low level of specificity in cybersecurity policies, but also in terms of the absence of budgets in the public organisations, which have to implement these solutions in their own agencies, aggravates the problem, and adds a “request” dimension to the already complex budgetary situation.

A smaller market in Spain that limits the growth of R&D+i solutions

The low levels of demand for cybersecurity solutions in Spain result in a smaller market. The lack of awareness about the need for protection against cyber-attacks by consumers, companies, and the Public Administration (civil, defence, and intelligence) is a key factor that would explain this low demand. It is therefore necessary to continue making progress in the cybersecurity culture in our country.

Furthermore, the agents participating in the study call for actions aimed at strengthening Spanish solutions and a better traction from the Public Administration in the demand for innovative solutions.

Talent as one of the great concerns

The main issue of talent in Spain, given its recurrence in the conversations with the agents of the ecosystem that participated in the study, is the human capital flight to other countries in search of better opportunities. This poses a very concerning situation, given that cybersecurity is a field that requires specialised talent, in which the training of professionals requires time and maturity. This is occurring in a context in which there is expected to be a strong need for professionals over the coming years.

One of the main factors contributing to slowing down the capacity of the ecosystem to retain and recognise talent is shortcomings in the Science and Technology System, whose precarious remuneration does not contribute to creating a perception of research as a professional option. In addition, there is a need to organise and structure talent, through

specific approaches for the training of cybersecurity researchers and professionals, which allow an itinerary and a clear training profile to be established.

The role of the future Network of Excellence

In the light of the diagnostic of the ecosystem, the network could play a key role in the search for and implementation of the solutions that respond to the challenges posed, leading to a strong, cohesive, and robust system with the capacity to position itself in the “winner’s league”.

Following the collaborative process carried out with the ecosystem agents, it has been firstly identified that the network could collaborate in the resolution of the following challenges:

 Definition of an R&D+i cybersecurity plan or agenda on a national level, as well as a plan for Spain’s positioning in the Horizon 2020 programme.

 Identification of the research incentive mechanisms.

 Awareness-raising about the need to protect information, systems, and networks against cyber threats and cyber-attacks.

 Identification of the capacities, potential, and level of excellence of the ecosystem.  Review of the talent attraction and retention mechanisms that contribute to

stemming the brain drain.

 Identification of the common points of interest in the ecosystem and the generation of collaboration incentives around them.

 Identification of the market needs for the development of solutions with a commercial focus.

Mission and Objectives of the Network of Excellence

During the network’s strategic formulation process, the following were highlighted as key elements of the network’s activity:

 Specific objectives, both in the long- and short-term, with a focus on R&D+i and on the transference of the research results to the market.

 Response capacity in a context in which the speed of technological change requires a flexible, open, and quick response. It is not only technologies that advance at an exponential rate, but also cyber threats and cyber-attacks.

 Coordination with the Government and Public Administrations responsible for the development of cybersecurity in order to be able to generate the appropriate responses in a coordinated and collaborative manner.

 Excellence as the key component governing the Network.

Developing R&D+i resources as the core mission of the Network

The network’s main objective will be to contribute to the improvement of competitiveness, to seek the development of solutions that respond to the needs of the market. As such, it will work actively to overcome the fragmentation of the ecosystem, through actions that allow the ecosystem’s capacities to be exploited in a collaborative, synergetic, and joint manner.

On the date of preparation of this document, the establishing of the Network’s mission in strategic objectives, action lines, and specific measures, are the subject of debate and consensus with the agents collaborating in the study. All this is specified in [Appendix II: Strategic lines of action and measures], but it also could have some changes in a future.

2

ANALYSIS FRAMEWORK

2.1

Analysis model

The process for the creation of the study has been carried out using the following general analysis model, which reflects the group of assets, agents, and dynamics that allow value to be produced in the cybersecurity research & innovation ecosystem.

Figure 1: General analysis model.

From this perspective, a simplified representation of the ecosystem has been used, to be seen as a “system” which, through available resources, generates value in its main results.

 Resources: what elements does the ecosystem have that produce value?

 Results: what is the real result and the value produced by the ecosystem?

 R&D+i value creation model: what value production “vehicle” does the ecosystem

have?

2.2

Methodology

The methodology for carrying out the study is based on two approaches:

 Collective thinking exercise with different key agents of the ecosystem that contributed their vision and perspective. Participants belong to different groups, including experts, companies, universities, technological centres, and public

institutions in order to assure the representativeness of the study. They took part through the following mechanisms:

o Individual, private, and anonymous interviews, in order to obtain free

opinions from a total of 18 ecosystem agents (15 national and 3 international).

o Submission of questionnaires to be completed by a total of 65 ecosystem

agents.

o Comparison with INCIBE of the results obtained in the collective thinking

exercise, through a Think Tank session. The objective of this session was to align the aspects of the Network outlined by the Collective Intelligence with the strategic documents that explain both this study and the initiative of creating the Network of Excellence.

o Focus Group Sessions aimed at generating free and guided discussion to

finalise important aspects of the Network with the greatest degree of consensus possible. Two sessions were held with the participation of a group of relevant agents.

Appendix I STUDY PARTICIPANTS includes the list of the organisations and

individuals who collaborated in the preparation of this study.

 To complement these opinions, a comparison with analytical information and document sources available for cybersecurity was carried out both at a national and international level, from the different sources of information.

Appendix III DOCUMENT SOURCES CONSULTED includes the detail of the sources

analysed during the preparation of the study.

The objective of this combined analysis has been, in the first phase, to launch a divergent analysis, allowing the identification of the group of potential solution scenarios, in order to, in a second phase, converge towards the more feasible scenarios in the development and implementation of the future Network of Centres of Excellence in cybersecurity R&D+i.

2.3

Initial considerations

The interpretation of the study results must be carried out bearing in mind a series of elements that determine them.

Firstly, cybersecurity is a relatively new and emerging concept, which involves the virtual absence of studies and specific statistics that allow a systematic analysis to be carried out.

Moreover, it is a cross-sectional area, with applications in practically all fields of Information and Communications Technologies (ICT) and in all production sectors, which

makes it difficult to obtain financial data to quantify both the industry and its R&D+i

level4_.

Lastly, it is a concept that both due to its many applications and its implications (regulation, civil, military, and technological) is very wide in its interpretations. More specifically, in the area of R&D+i, the plurality of agents in the scientific-technological

and knowledge areas5_{, increased the complexity of the study. This problem, in addition}

to the lack of data, means that the analysis of R&D+i in cybersecurity has not been able to be carried out globally and systematically.

As a result, in the analysis carried out, there has not been the availability of data and statistics that would be necessary to thoroughly evaluate R&D+i in cybersecurity from a

5_{The absence of public sources and statistics that allow us to evaluate cybersecurity in detail made it impossible to carry}

quantitative point of view. Research based on the knowledge of the ecosystem by INCIBE and the agents who participated in the study has been conducted to overcome this difficulty.

3

COMPETITIVE POSITIONING OF THE CYBERSECURITY

RESEARCH & INNOVACION ECOSYSTEM

3.1

Map of Stakeholders & Agents

To put into context the current situation of the cybersecurity research & innovation ecosystem, one of the first tasks to undertake is to outline the map of agents both at a national and international level.

It is necessary to highlight the lack of formal and structured sources of information that compile and characterise all of the ecosystem agents comprehensively. In order for this not to affect the creation of the report, hard work was required during the agent identification process, using both the knowledge available (expert collaborators, interviewed/surveyed agents, and INCIBE), as well as the references shown in the various document sources analysed.

The cybersecurity research & innovation ecosystem is a complex ecosystem consisting of many agents with different roles, who interact with each other: Public Administrations, the Academic Sector, R&D+i Support Organisations, and the Industry.

Figure 3: Type of cybersecurity research & innovation ecosystem agents.

The Public Administrations consist of both civil and military organisations with different roles:

 Consultation role. These both civil and military non-governmental organisations are

main lines of cybersecurity in the institutional and political sphere. Amongst other elements, they formulate recommendations and design global standards with the objective of creating a common framework that combines visions with regard to the development of cybersecurity in the different nations.

 Communication role. Aimed at the communication, sharing, and pooling of various

issues in the area of cybersecurity.

 Strategic role. Country governments fall into this category, such as institutions,

whose mission is to design strategies and public policies on this issue and make them operational. The institutions of the European Union that form policies are also included.

 Funding role. Governmental agents in charge of financially and economically

covering cybersecurity. In the sphere of this study, the agents that fund the R&D+i activities have been only strictly considered.

 Legislative role. Agents who define the legal framework in which cybersecurity

activities are managed.

The Public Administration’s demand-inducing role in two ways:

 It demands security for the protection of the information managed by the administration itself.

 It demands protection and security solutions in the area of defence and national intelligence.

The agents of the Academic Sector are the basic core of the scientific research and technological development system. This category includes universities (with their associated research groups) and (public and private) research centres.

R&D+i Support Organisations contribute to making the system dynamic, providing interaction between the scientific and technological settings for the dissemination and generalisation of R&D+i processes. Specifically, three types were considered:

 Research Results Transference Offices (OTRIs), whose objective is to contribute to

the commercialisation of the R&D+i results generated in the university and research centres.

 Technological Centres (TC) which, in line with the requirements of the business,

develop technological research and development projects, contributing to the transference of research results, promoting cooperative research between the companies and increasing their technological level and competitiveness.

 Technological Innovation Support Centres (CAIT), whose objective is to facilitate the application of knowledge generated in research institutions and technological centres, through their mediation to companies.

The Industry and companies are analysed from two perspectives:

 Companies that carry out their business in the area of cybersecurity.

 Business associations that, through the union and collaboration between their

partners and members, seek to obtain synergies, economies of scale, and the carrying out of joint R&D+i activities.

Below, the map of the Spanish R&D+i Ecosystem is shown, identifying the number of agents that exist within each agent category:

Figure 4: Map of agents of the cybersecurity research & innovation ecosystem in Spain.

Appendix IV AGENTS OF THE CYBERSECURITY R&D+i ECOSYSTEM IN SPAIN of this document

provides a list of the agents identified by each category.

3.2

Analysis of the institutional, legal, and economic context

Within the analysis model proposed for analysing the Cybersecurity research & innovation ecosystem, the first element to take into account is the context in which it is managed, which could be accepted as the “general rules of play” that define the perimeter of cybersecurity development.

Figure 5: General analysis model: context.

In the international scope, it is important to highlight that the first steps have been taken in recognising cybersecurity as a key issue on the governmental agendas, with high-level strategic guidelines being established to address it. These guidelines need to be reviewed constantly and continuously, given the speed of change in information technologies and cyber threats.

The European Union recognises the importance of cybersecurity in its main line of

strategy, the Europe 2020 strategy, although it explicitly recognises that Member States must establish their own national strategies in this area.

In Spain, it must highlighted that, despite the Spanish State having recognised

cybersecurity as a key issue on the governmental agenda, the reality is that the strategies designed are high-level proposals that result in statements of intentions that define the challenges and provide general solutions, but they must be specific and well-grounded. Indeed, one of the characteristics of the different initiatives6 _{that the Government of} Spain has undertaken in relation to cybersecurity, is the absence of thematic focal points or specific priorities.

This lack of specificity may be a disadvantage in the development of cybersecurity, with a general scenario being proposed where it is difficult for ecosystem agents to establish an action strategy.

In the legal sphere, the scenario is similar to the context, given that it is an element that is developed in parallel to the advancement and implementation of strategies in

6 _{The Digital Agenda for Spain, the National Security Strategy (ESN), the National Cybersecurity Strategy (ECSN), and the}

cybersecurity. As such, there is a long way to go, and the advancement and speed will be marked by the degree of strategic and political development.

Specifically, there are various elements that could be highlighted as requiring development:

 Alignment of the Spanish and European legal frameworks, as a critical element for the detection and coordinated pursuit of cyber threats and cyber-attacks.

 The specific obligations in the protection of critical infrastructure.

 Regulatory developments aimed at driving forward the European digital market.  The regulation of security aspects in Electronic Administration and interoperability

in the exchange of electronic information between administrators.

Lastly, with regard to funding of R&D+i, cybersecurity is one of the thematic priorities of the European R&D+i programme (Horizon 2020), which has budgetary allocations and specific development areas.

At the State level, it can be concluded that cybersecurity receives lower levels of investment than leading countries (the United States, the United Kingdom, and Israel). In the absence of a specific cybersecurity R&D+i plan, the 2013-2016 State Plan for Scientific, Technical, and Innovation Research is the main source of funding for R&D+i activities in this field. This plan recognises this area as key, although there is only partial information about the budgetary allocation for this priority7_.

3.3

Characterisation of the cybersecurity research & innovation ecosystem

This section assesses the different elements that, in addition to the context, form the cybersecurity research & innovation ecosystem. Specifically, it is analysed the resources,

the value creation model and the results produced by this model.

3.3.1 Resources

The resources represent the basic elements available in the research & innovation

ecosystem for the creation of value, represented by the market, science and knowledge,

talent and funding.

7 _{Through a request made to the Ministry of the Economy and Competitiveness on the degree of project execution in cybersecurity,} we received the following data: 1) General Directorate of Scientific and Technical Research (DGICT). 27 projects funded during the 2009-2013 period, for a total amount of 3.3 million euros. 2) General Directorate of Innovation and Competitiveness (DGIC): in the 2014 call for Collaboration Challenges, 11 projects were funded in Challenge 8, Security, Protection, and Defence, for a total amount of 7.8 million euros. Additionally, during the 2010-2012 period, a total of 18 projects were funded in the framework of the sub-programme INNPACTO, for an amount of 20 million euros.

Figure 6: Resources.

Market

In general, the Spanish industry is characterised by high fragmentation and diversity in the category of companies, from large driving companies (national and international) to niche companies.

It can be concluded that the volume of companies is smaller in comparison to other economic sectors, although there are no public statistics that allow quantification of the company census.

It is necessary to make an effort in the Spanish industry to overcome the technological gap and to position the country on the global arena, since our industry as a whole is very far from both the main industrial leaders (the United States and Israel) and the second line of competitors (the United Kingdom, the Netherlands, France, and Germany, amongst others).

Lastly, the poor cybersecurity culture in Spain and the Administration’s low driving capacity for demand are other limiting factors for the industry’s capacity to generate and commercialise cybersecurity solutions. Both elements result in a smaller domestic market that limits the development possibilities for the industry. In an international context, Latin America is the main focal point for opportunity for our industry.

Science and knowledge

We should highlight the existence of critical mass in research in Spain, with 110 research groups in 42 universities and 3 research centres dedicated to cybersecurity being identified.

The diversity of scientific-technological areas (despite many of the research groups being dedicated to cryptography-related areas), and the disconnection and lack of collaboration

between agents, disperses the research capacity and means with no specific and defined strengths from an aggregate level.

Indeed, Spain does not appear in the Best in Class about research and transference in any of the cybersecurity scientific-technological areas.

Talent

The main element that characterises the talent of cybersecurity in Spain is the important human capital loss on behalf of other countries, due to the better opportunities offered by our competitors.

Furthermore, the Science and Technology system has a series of weaknesses and shortcomings, which are limiting factors for the process of recruiting and retaining research personnel and they contribute to accelerating the human capital flight:

 “Precariousness” of the hiring and grants policy for research personnel, which does not contribute to improving research professionals’ perception of it as a professional option.

 The research personnel replacement ratio in the Academic Sector is much lower than loss of staff, resulting in a net reduction in the volume of research talent available.

The low driving force in domestic demand for cybersecurity (consumers, companies, and the Administration) is an element that limits the development of the industry and, therefore, the demand for talent.

Favourable elements are the availability of a good level of talent. However, many agents participating in the initiative consider it to be necessary to improve the talent training and recruitment plans in cybersecurity, with a more specific focus being generated in this field and with the labour market (industry) needs being incorporated into these plans. Lastly, it is important to highlight the forecast of a high demand for professionals over the coming years, given the great opportunities offered by cybersecurity.

Funding

In Spain, in the absence of a specific R&D+i plan in the field of cybersecurity, it can be highlighted that, despite the State policies (and those of some regions) establishing security as one of the thematic priorities for R&D+i, the level of financial support can only be partially evaluated.

Funding cuts in science has led, not only to the reduction in funding for projects, but also a limit in the research personnel of the institutions.

Given this situation, the European Union’s Horizon 2020 programme is practically the

only route for funding R&D+i. The 2013-2016 State Scientific, Technical, and Innovation

Another of the means used by the Academic Sector to obtain funds is collaboration with companies (R&D contracts); however, due to the current issue of disconnection between science and business in our country, this means of funding is still low.

3.3.2 R&D+i value creation model

This model is fuelled by the resources of culture, talent, science and knowledge and

transference and it adds value to them or takes value away from them depending on how

the elements of the value production model are configured for producing a result.

Figure 7: cybersecurity R&D+i value creation model.

Culture

 Collaborative culture. The collaborative culture in our country is low, which reduces

the ecosystem’s capacity to produce value through joint R&D+i projects.

 Entrepreneurship culture. Spain has a risk-aversion culture, which implies relatively

low entrepreneurship levels. The agents participating in the study indicate the need to work and strengthen this element from the earliest stages of the education system.

 Cybersecurity culture. Companies and the market in general are not aware of the

need to protect themselves and prevent attacks. This situation results in a reduced domestic market, which leads to low levels of demand for cybersecurity solutions in the three main groups that demand solutions (consumers, companies, and Public Administration). The search for international markets, such as Latin America, is a possible alternative to this lack of internal demand.

Talent

The cybersecurity talent-generating model begins in the university system, although some of the participating agents call for the need to develop a cybersecurity culture and professional vocations from the earliest stages of the educational system.

As a starting point, it must be borne in mind that this talent requires a high specialised training, after graduation from university, and as such, the preparation and maturation of professionals in this field requires time. Furthermore, since it is a cross-sectional discipline, it does not have a specific training focus, which results in an unclear professional profile.

There is a large potential volume of talent, since any IT technician or telecommunications engineer, with the correct training can become a cybersecurity professional. However, to develop all of this potential, a specific and “guided” training process is demanded, which is aligned with the national roadmap in this subject, which guarantees that there are professionals who are trained for our country’s future challenges.

This alignment of university with cybersecurity should be formulated through closer contact with the industry, matching the needs of the market with academic training, which is the model followed by some leading countries in this field (the United States). Likewise, the future planned steps in the certification of professionals in cybersecurity will be an element that will contribute positively to distinguishing talent.

Science and knowledge

The cybersecurity research & innovation ecosystem in Spain is characterised by its amplitude, diversity, fragmentation, dispersal and by not having clear relationship dynamics between its agents.

However, since it is relatively young, we can expect a positive evolution in the use and development of these research capacities. It is therefore necessary to make progress in terms of greater levels of collaboration in common objectives, which will increase the positioning of our ecosystem both nationally and internationally.

In addition to the lack of collaboration, there are other elements that hinder its research capacity, allowing it to extract all of its potential: the lack of a specific R&D+i plan for cybersecurity and the poor budgetary allocation to science.

Lastly, it will be necessary to work on a series of elements that allow the creation of solid foundations in order to increase the contribution of value in cybersecurity R&D+i:

 Knowledge of the capacities and potential of R&D+i in Spain as the first step for

boosting the research.

 A better definition of the policies (focal points) and public budgetary allocations.

 Relaunching of instruments that enable and empower the role of the Public

Administration as a driving force of the demand for cybersecurity. Innovative

public purchasing and the early demand for innovative solutions are useful elements for boosting the development of leading solutions.

Transference

The weaknesses of our country in the process of transferring the results of research to the market and the now traditional disconnection between science and the market are recurring themes in the debate on the Spanish Science and Technology System.

The levels of transference to the market, which cannot be assessed objectively, due to the lack of public data, are relatively poor in the opinion of the agents and experts who participated in the study, who point to some elements as causes of this situation:

 The Academic Sector indicates the poor incentives for researchers to implement

transference. However, the agents who specialise in transference must play a

key role in the commercialisation of the research results to the industry.

 Another of the elements indicated is the ease that proximity between companies and research centres provides to the transference process, which is complicated for geographical regions that are far from the main business centres, since the business network does not usually have an R&D+i culture, and it is more focussed on surviving the crisis than promoting it.

 In the sphere of cybersecurity, there is also the fact that companies and the market in general are not aware of the need to protect themselves and prevent attacks.

 Transference on an international level is complicated, since the sovereignty of

countries in cybersecurity affects the transference process, not only in terms of military and intelligence aspects, but also in solutions in the civil sphere.

The solution to the lack of transference has to take into account various elements:

 The carrying out of joint projects that have common interests both for science and the industry.

 Making the research capacity and potential of the Academic Sector known to the

industry.

 Revision of the transference agents’ model, establishing the incentives that allow a

3.3.3 Results

Figure 8: Results.

The results reflect how the research & innovation ecosystem adds or subtracts value to or from the resources. In accordance with the analysis model proposed, there are four main result categories to generate: publications, patents, technological companies and

reference, with the latter term being understood to mean the ecosystem’s capacity to

position itself as excellent and a reference within the scientific-technological panorama of cybersecurity.

In general, the diversity of scientific-technological areas (despite many research groups being dedicated to areas related to cryptography) and the disconnection and lack of collaboration between research & innovation ecosystem agents, means that the results of the research are dispersed and do not have specific and defined strengths.

As a result, the Spanish cybersecurity research & innovation ecosystem is not a

reference at an international level in any scientific-technological area that includes

cybersecurity (which does not imply that there is not reference at the individual level of researchers, universities, or research groups).

The agents participating in the study perceive that the results of R&D+i in cybersecurity are poor. Perhaps the production of publications and patents are the elements that have the most volume, although the lack of applicability and transference to the market means that, in practice, these results are not transformed into financial value and do not reach the market. This low applicability may be due to various factors:

 Lack of specific research strategies with practical approaches for application.

 In the research system, there are no clear incentives for transference to the market and there is no defined an entrepreneurship model.

3.4

Cybersecurity research & innovation ecosystem relationship model

In this section, an analysis of the relationship model is presented as dynamics, models, and collaborative relationships between the different cybersecurity research & innovation ecosystem agents.

In order to achieve this, an illustrated vision of the agents participating in the initiative on the relationship dynamics in the ecosystem has been made. These visions will be complemented by an analysis of the main collaborative networks identified in our country. Lastly, due to its value as a source of best practices and inspiring experiences, an analysis of the main international networks is included.

Appendix V COLLABORATIVE NETWORKS ANALYSED includes a list of the national and

international collaborative networks.

3.4.1 Main national collaborative models or networks

Generally, in Spain the collaboration culture is relatively poor, which is an initial limiting element for the development of cybersecurity R&D+i collaboration.

As mentioned before, the research & innovation ecosystem is characterised by its amplitude, diversity, and disconnection, which makes it difficult to systematically identify the collaboration and relationship dynamics between its agents. The evidence available indicates that a relationship model collaboration between agents is on a one-off basis, without existing indications of global and comprehensive collaboration in the ecosystem.

The agents participating in the initiative consider that in Spain, in comparison with other countries, R&D+i collaboration is low, mainly due to cultural aspects, added to the funding situation, which does not help the creation of collaboration ties through ecosystem agents carrying out joint projects.

There is a certain mood of pessimism with regard to the existing collaboration models, since it is considered that they do not fulfil vitally important premises, such as showing a real commitment to R&D+i materialised in budgets, or establishing clear business objectives, that result in collaboration for the development of marketable solutions. Lastly, participants indicate the existence of collaboration in European R&D+i funding programmes (Horizon 2020 and previously, the Seventh Framework Programme). However, Spain’s returns in these programmes are not in line with its capacities, and as such, it is necessary to continue working on the development of a proactive strategy to

position Spain in Horizon 2020 and in the European Union organisations involved in

designing the priorities of the aforementioned programme.

Three main types of collaboration result from the analysis of the collaborative networks in Spain:

 Collaboration between science (universities and research groups) and the industry, which are increasingly common but at a level that is lower than other sectors (perhaps because cybersecurity is an emerging sector), and it is more one-off than general8_{. Many of these collaborations are organised in the context of funding} programmes (mainly Horizon 2020), for the development of joint programmes.

 Collaboration between universities, with the A-4U Alliance being notable (strategic

association between the Autonomous University of Barcelona, the Autonomous University of Madrid, Carlos III University of Madrid, and Pompeo Fabre University of Barcelona).

 The main goal of collaborative networks is to be a meeting point between the agents of the ecosystem to achieve a global and integrating vision. Most networks provide for public-private participation. However, there are also collaboration networks with members who belong exclusively to the private sector.

As a general characterisation of the relationship models in our country, it can be concluded the following:

 Given the emerging nature of the cybersecurity sector in our country, the networks identified are relatively young (with the oldest being around ten years old).

 Most of the identified relationships focus on activities related to dissemination, training or the implementation of working groups with no detection of networks that exclusively focus on R&D+i.

 The networks identified are of a general nature (ICT security in general), without having a specific focus on the cybersecurity field.

 The most advanced networks are those linked to the industrial sector, which is clearly positioned as the sector that is most involved in cooperation.

 They have a marked institutional nature although they integrate all categories of agents of the ecosystem (Public Administrations, Academic Sector, the Industry, and R&D+i Support Organisations).

 They are non-profit entities (with the information available it is unable to identify their legal form), and they are open to all interested agents, but with not member admission criteria detected.

8 _{Specific examples of alliances have been identified, such as that of INDRA’s Cybersecurity Chair and the Carlos III}

University of Madrid or the agreement signed by S21sec and the Institute of Forensic Sciences and Security of the Autonomous University of Madrid.

 In general, they are networks funded through membership fees and sponsorship, with some being funded by the government.

Lastly, it is necessary to highlight the important role of the one-off events that bring together the main agents of the ecosystem, which are excellent opportunities for them to network and develop the assets and advances in cybersecurity.

In this regard, since it is a reference in the sector, the International Information Security Conference (ENISE) organised by INCIBE deserves a special mention, which is now in its eighth edition.

Furthermore, INCIBE is currently organising an annual event, Cybercamp, whose objective is to attract talent in the sphere of cybersecurity through various technical tests and some online activities like cybersecurity challenges; the aim is therefore to bring together the best talent in this area, and have the participation of the best students in cybersecurity training programmes in Spain, as well as the best international talent.

3.4.2 Main international collaboration models or networks

In the international sphere, the collaboration models and networks are at a more advanced stage than in Spain, mainly due to other countries more cooperative culture. The analysis of the networks is firstly organised around the European initiatives, and later main characteristics of the networks internationally are illustrated, focussing on the success stories of the United States and Israel.

3.4.2.1European collaboration models or networks

Many initiatives have been carried out in Europe seeking the ideas generation and pooling the different agents with an active role in cybersecurity. There are two main categories within these networks:

 Networks linked to the industry: These are led by the industry9 _{but bring together}

members of the academic sector, R&D+i support organisations and consumer associations. Basically, these networks work to achieve the following objectives:

o To increase competitiveness, building up innovative ideas to create business opportunities.

o To develop a strategic agenda for R&D+i in Europe that is presented to the European Union, favouring alignment between its objectives and the main strategic lines established for R&D+i.

o To promote the interoperability of technological solutions.

9 _{Networks consisting of European ICT companies, such as Gemalto, Microsoft, Nokia, Philips and companies linked to the}

 Networks linked to the European Union, where the latter plays a role as a cohesive element and facilitator of collaboration in the public-private sphere. These networks are characterised by having a marked political and institutional character, integrating all the active agents in cybersecurity. The main objectives of these networks is the exchange of information and the creation of best practices.

3.4.2.2Other international collaboration models or networks

The long history of the leading countries in cybersecurity (the United States and Israel), linked to the awareness and involvement of their authorities in the development of these types of networks, has contributed to the existence of very solid networks in these countries.

The role of the United States as a worldwide reference is highlighted, since it approaches collaboration from a comprehensive perspective. There are two main types of network: those led by governmental organisations and sectorial networks (led by the industry and participated in by the administration); both include amongst their members the main reference companies in the sector, and accept any type of agent who works directly or indirectly in the sphere of the network’s activity.

The services offered are usually aimed at the dissemination of information, advice, and training.

These networks are aimed at boosting R&D+i, placing special focus on strategic elements in the case of governmental networks, and establishing demands for cybersecurity in the case of sectorial networks.

Sectorial networks are usually aimed at the industrial and energy sector, and include the main interests of the industry to conduct them through R&D.

Lastly, it is necessary to highlight the many international cybersecurity events that have taken place to improve the networking between agents of the international ecosystem, and promote new collaborations.

3.5

Factors limiting cybersecurity R&D+i competitiveness

This section discusses the weaknesses and obstacles detected in relation to cybersecurity R&D+i, which constitute, along with the other conclusions, the base from which the ecosystem’s SWOT (presented in the following section) will be created. To facilitate comprehension, these elements have been organised into two main groups:

 General and structural weaknesses and obstacles. These are not specific cybersecurity elements, but rather general elements that mainly affect the foundations of the economy and society. With regard to this initiative, we principally include the deficiencies of the Spanish Science and Technology Systems and of the (mainly collaborative and entrepreneurial) culture of our country.

 Specific cybersecurity weaknesses and obstacles, which, although they can be reproduced in other areas, are more specific.

3.5.1 General and structural weaknesses and obstacles

 Complex environment to perform R&D+i in Spain, due to major cuts in funding in

the Science and Technology System, which affects not only the execution of R&D+i projects, but also the hiring of research personnel.

 The Science and Technology System provides opportunities to improve the research incentives.

 The precariousness of the Science and Technology System’s budget does not contribute to making research a professional option.

 Disconnection between science and business.

 Very inadequate research results transference system, which requires a review by

the agents involved in this work.

 Transference complexity at an international level, particularly in cybersecurity

solutions related to government defence and intelligence.

 Risk aversion culture, which hinders entrepreneurship.

3.5.2 Specific cybersecurity weaknesses and obstacles

 General context. Lack of public data and statistics to allow a comprehensive and

structured analysis and assessment to be carried out on cybersecurity in Spain.

 Cultural context. Low cybersecurity culture, both in the Administration itself and in

companies and the general public, which limits the demand and development of solutions by the industry.

 Strategic context

 The Spanish cybersecurity strategies are established as a State priority. However, it is necessary to ground these proposals in specific actions, priorities, and focal points.

 Lack of a specific cybersecurity R&D+i programme.

 Regulation context. Regulation developments, some elements of which are still in

their infancy, must be driven forward as an aspect that catalyses the demand for solutions and development in this area.

 Financial context

 Cuts to funding in the Science and Technology System that affect

cybersecurity.

 Lower R&D+i investment levels than in other European countries and

lower than leaders in cybersecurity, which puts our country at a clear disadvantage, while it hinders the competitiveness of the sector in the medium and long term.

 Market. Small cybersecurity market size in Spain due to the low demand for

solutions, both from companies and from the Administration, with the latter being an important agent for driving forward solutions in this area.

 Ecosystem characterisation

 Spain does not have a clear positioning in the international cybersecurity

scene, and it is behind the leading countries and many reference European countries (the United Kingdom, France, Germany, and the Netherlands).

 Extensive, diverse, fragmented, and disconnected ecosystem, without

clear relationship dynamics between its agents, no specific focal point, and low levels of collaboration. A wide potential for use and development of capacities through collaboration and the generation of synergies between agents.

 Poor collaboration between the Academic Sector and the industry.

 Complexity of transference on an international level, particularly in terms

of cybersecurity solutions related to defence and intelligence.

 Poor results and assessment of results of cybersecurity R&D+i in Spain.

 Brain drain to other countries with better opportunities and remuneration.

 Training processes that should be reviewed to adapt to the needs of the

market.

3.5.3

Conclusions

When carrying out an assessment of the limiting factors in accordance with their impact, it can be observed that many of these factors have a high impact on the competitiveness of cybersecurity R&D+i, particularly those relating to:

 Socioeconomic context, such as funding cuts, the lack of operational strategies or

 Poor results and assessment of R&D+i.

 International positioning and the small size of the domestic market.

 Talent limitations, since it is leaving Spain or the lack of alignment between the

existing profiles and the demand for them by the industry.

Nature Limiting Factor Impact

General/Specific Funding cuts, which limit the execution of R&D+i projects.

General/Specific Funding cuts, which limit the hiring and attraction of research talent.

Specific R&D+i investment levels that are lower than in other European countries or those of cybersecurity leaders.

Specific A low cybersecurity culture.

Specific A cybersecurity strategy that is not specific or operational.

Specific Lack of a specific cybersecurity R&D+i plan.

Specific Poor cybersecurity R&D+i results.

Specific Poor assessment of R&D+i results.

Specific Weak positioning of Spain in cybersecurity on an international level.

Specific Small cybersecurity market size in Spain (low demand for cybersecurity solutions).

Specific Brain drain to other locations.

Specific Training processes that are not adapted to the needs of the market.

Structural Disconnection between science and business.

Structural Low culture of cooperation.

Structural Inefficient research results transference system.

Structural Risk averse culture.

Specific Lack of public data and statistics.

Specific Regulation developments in their infancy

Specific Complexity of transference on an international level.

Table 1- Assessment of the impact of limiting factors identified in terms of competitiveness As secondary aspects, with a lower impact on competitiveness, highlight the emerging

nature of cybersecurity as an industry (with the resulting lack of regulatory

development), the difficulty of accessing data to characterise cybersecurity, and the difficulty of carrying out international transference.

Lastly, there are structural limiting factors in the Science and Technology System that hinder the development of R&D+i in general, such as the traditional disconnection between science and business (exacerbated by inefficient research results transference)

or the existence of a poor culture of collaboration, which prevents the potential and synergies existing in the ecosystem from being developed.

3.6

SWOT analysis of the cybersecurity research & innovation ecosystem

In this section, the internal and external analysis of the cybersecurity research & innovation ecosystem is presented, materialised through the SWOT (Strengths, Weaknesses, Opportunities, and Threats) technique.

 Strength is Spain’s competitive capacity, which gives the cybersecurity research & innovation ecosystem an advantage.

 Weakness are the qualities that the cybersecurity research & innovation ecosystem has but it is not capable to manage and places the ecosystem at a competitive disadvantage.

 Opportunity is a favourable characteristic resulting from the effective use of strengths to improve the positioning of the ecosystem.

 Threat is defined as an external competitor, event, or force that works against the ecosystem’s positioning.

Before presenting the SWOT analysis, it is necessary to highlight a series of specific initial

premises and conditions of cybersecurity that are, therefore, an intrinsic part of the

dynamics to which the research & innovation ecosystem is subject:

 A changing sector, both due to the continuous advance of cyber threats and the evolution of the technology itself.

 An industry with high fragmentation (large companies vs. niche companies) showing a high t