Subject 18: Cybersecurity Law

https://www.usom.gov.tr/index.html

• Cybersecurity

Ensuring information security in technological life and devices is critical for everyone in the cyber world. To achieve this information security, the best approach is to implement cybersecurity measures to protect vulnerable devices and environments, such as portable virtual devices, computers, and internet connections, from cyber attacks.

In today’s cyber world, the malicious use of computers and computer networks, along with cyber threats such as viruses, trojan horses, or keyloggers, leads to economic problems amounting to millions of liras.It is widely known that such problems typically arise as a result of identity theft, such as obtaining individuals’ Turkish Identification Numbers, stealing bank accounts, or acquiring credit card numbers. Identity theft not only creates economic problems for individuals but also leads to both financial losses and damage to reputation for financial institutions.Therefore, it is crucial to take cybersecurity measures to protect personal/customer information for both individuals and financial institutions. There is a significant responsibility to raise public awareness about this matter.The most crucial among the mentioned tasks is the protection of data privacy, integrity, and accessibility (PIA) from the perspective of information security.

Organizations that store information must ensure the authenticity, completeness, accessibility, and shareability of both corporate and customer data among authorized individuals.Additionally, the programs created and utilized in line with the stated objectives must perform their functions in accordance with the concepts of data privacy, integrity, and accessibility (PIA). (https://dsy.usom.gov.tr/usom/19/02/190211082958_siber_guvenlige_giris_ve_temel_kavramlar.pdf )

Key Concepts of Information Security

a)Confidentiality: Ensuring that only authorized individuals or systems have access to information systems and data; preventing the unauthorized disclosure of confidential information pertaining to information systems or data by unauthorized individuals or systems.

b)Integrity: The modification of information systems and data is limited to authorized individuals or systems only.

c)Availability: Authorized individuals and processes should be able to access information systems and data at the required time and with the necessary quality.

• Definitions

The definitions in the “Basic Information on Cyber Security” published by USOM are given as follows.

• Access Control: It involves managing access to information, preventing unauthorized access to information systems, disallowing unauthorized user access, protecting services, detecting unauthorized activities, and ensuring information security in remote working environments.
• Identity Verification: It is the authentication mechanism for confirming the role or identity of any individual.
• Authorization: It is the process of determining whether an identity has access to specific resources.
• Asset: It defines valuable information resources that need protection against attacks (such as databases containing Turkish Identification Numbers, credit card information, or personnel databases).
• Security Vulnerability: Weak points and vulnerabilities in a system originating from software and hardware or gaps in the operational rules and/or guidelines of the system.
• Risk: Potential harmful outcomes that may arise as a result of a cyber attack.
• Threat: Possible attack scenarios or vulnerabilities that could lead to harmful outcomes.

• Types of Cyber Attacks

In the guide “Basic Information on Cyber Security” published by USOM, the types of cyber attacks are explained as follows:

In cyberspace, there are numerous types of attacks and threats that necessitate cybersecurity experts to protect their own computers and systems. For example, Trojan horses, viruses, worms, logic bombs, DDoS attacks, social engineering attacks, phishing attacks, etc.

Attackers, using these methods, can cause various harms to compromised computers or computer networks, such as alteration, destruction, service disruption, or data leakage. These damages can result in financial losses for an organization or public institution, and they may also harm its reputation by diminishing trust.

(Malware): In the most general sense, malicious computer programs that are designed to gain unauthorized access to system information or cause serious harm to computer systems. Malware is a broad term encompassing viruses, worms, trojans, rootkits, and spyware. Malware can be used against individuals, processes, and/or technologies. The key and most important point here is that the purpose of malware is to obtain unauthorized access to systems or facilitate the acquisition of critical and important data.

Viruses: Computer viruses, in the broadest sense, are computer codes that replicate themselves within system files or programs. The critical point in understanding viruses is that they need to be executed by a user. This often occurs through actions like opening an email from a user or automatically running a USB drive.

Worms: Similar to viruses, worms are malicious software designed to replicate themselves from one computer to another. The key difference from viruses is that worms automatically spread over a network. Due to their automatic spreading, worms can cause a computer network to slow down over time, leading to delayed loading of internet pages. Common methods of worm propagation include spreading through email attachments, web or FTP links, links sent in ICQ or IRC messages, and through peer-to-peer (P2P) file-sharing networks. Additionally, some worms spread as network packets, entering the computer’s memory directly, and then activating the worm code.

Trojan Horse: These are malicious programs that users install without in-depth knowledge of their content. For example, a user might think they are installing “Flash Player” when, in reality, they are downloading it from a random source rather than from a trusted one like “Adobe.” Generally, programs containing Trojan horses infect computer systems after the file is downloaded and executed. The characteristic feature of Trojan horses is enabling remote control or monitoring of the user’s computer. Computers infected with Trojan horses can be used as “zombie computers.”

Rootkit: A computer program that infects a computer, hides itself among running processes, and is difficult to detect. Unlike viruses, its goal is not to slow down your system or spread. Instead, its purpose is to take control of your computer and conceal its presence in the system, providing remote control to malicious individuals.Initially developed and used to conceal the access of ordinary users to administrative programs and system information in multi-user systems, rootkits can be encountered in malicious applications as well. Running a program believed to come from a trusted source with elevated privileges (such as root) can lead to the installation of a harmful rootkit. Similarly, exploiting vulnerabilities in the kernel or other components in a multi-user system to gain root access and install a rootkit is one of the most common infection methods. Identifying which files a rootkit has actually altered, which module it has loaded into the kernel, where it is registered in the file system, and on which network service it is listening to trigger appropriate commands is challenging. Nevertheless, methods like periodically storing the hash values of essential commands and potential rootkit infection points can be used. This allows later verification to detect any changes.

Phishing: The illicit acquisition of user information, such as usernames, passwords, identification details, credit card details, used for any system, through illegal means. The term “phishing” is a combination of the English words “password” and “fishing,” and its Turkish equivalent is “yemleme.” “Phishers,” as they are known, typically reach individuals through channels like email and request details such as credit card information, pretending to be an official institution. Users who respond to such emails risk having their accounts, passwords, and other private information stolen. For example, one might receive an email formatted to resemble an official bank communication, suggesting the provision of password or credit card information. In response to phishing, all banks and similar institutions emphasize that they never ask users for their private information via email and advise users to forward such emails or requests to them for verification.

Spyware: Spyware programs are created to spy on your computer. Spyware is defined as software that collects important user information and the user’s actions without their knowledge, allowing this information to be sent to malicious individuals. These spyware programs are particularly introduced into systems by Internet users unknowingly, especially compared to other malicious software. Unlike viruses and worms, spyware does not need to spread after infecting a system. Its goal is to ensure privacy on the infected system and gather information. This information can sometimes be crucial, such as a credit card number. Additionally, commercial entities may distribute spyware on the internet to detect user habits online.

Social Engineering; in contrast to approaches that exploit vulnerabilities in computer systems or networks to cause harm, “social engineering” is a method defined by taking advantage of human communication, thinking style, trust, or human weaknesses to render cybersecurity processes ineffective or bypass them. Social engineering methods can be summarized as creating fake scenarios through various lies, presenting oneself to the target as a trustworthy source, or leaking information through simple reward methods.

(Source: “Basic Information on Cyber Security”)

• The sources of cyber attacks 

The sources of cyber attacks are outlined as follows in the Basic Information on Cyber Security published by USOM:

• Hackers & Cyber Criminals: Individuals who gain unauthorized access to personal computers, mobile devices, or organizational – corporate – public computer networks. In the Turkish Language Institute dictionary, they are defined as “individuals knowledgeable in computer and communication technologies, possessing skills above the standard in computer programming, thus developing advanced software and being able to use them.”
• Internal (Insider) Attackers: Individuals within an organization who launch attacks on internal systems for specific purposes.
• Cyber Activists: Individuals or groups who launch attacks on public or private sector cyberspaces to express social or political issues they deem bad or inappropriate within the framework of their worldviews.
• Intelligence Agencies: In the international cyber realm, countries have started to perceive each other as cyber threats. Due to this threat perception, countries are forming cyber defense and cyber attack teams. In addition to attempting to access critical data belonging to other countries, they also continue to launch cyber attacks on the critical infrastructure of target countries.

• Cyber Security Actors in Turkey

• Information and Communication Technologies Authority (BTK)

The Telecommunications Authority, established in January 2000, was transformed into the Information Technologies and Communication Authority (BTK) in November 2008. BTK has primary responsibilities in the following three areas:

• Electronic communications
• Information Technologies
• Postal services 

Within this scope, BTK functions as a regulatory body and is responsible for authorization, supervision, dispute resolution, consumer rights protection, regulation of sector competition, issuing technical guidelines, and spectrum management and monitoring.

• TÜBİTAK (Scientific and Technological Research Council of Türkiye) 

According to the organization text published by TÜBİTAK, “The Scientific and Technological Research Council of Turkey (TÜBİTAK) was established by Law No. 278, which came into effect upon its publication in the Official Gazette dated July 24, 1963 and numbered 11462.” According to the amendment to the Establishment Law, published in the Official Gazette dated September 9, 1993, and numbered 21693, and modified by Decree Law No. 498, the primary objective of the institution, as stipulated in Article 1 of the Establishment Law, is to “develop, encourage, organize, and coordinate research and development activities in positive sciences in Turkey based on the priorities in national development; access existing scientific and technical knowledge and ensure its accessibility.” The institution has “legal personality, administrative, and financial autonomy.” Attached to the Prime Ministry, the institution is subject to private law provisions in cases not specified in its own law.

According to the 2006-2010 Action Plan, TÜBİTAK established the Information Security Management System for four public institutions in 2007 and started organizing Information Technology Security Days for public institutions and private organizations in various activities. TÜBİTAK hosts ULAK-CSIRT, one of the two accredited CSIRTs (Computer Security Incident Response Team) in Turkey, operated for research and educational purposes.

• Cyber Security Board

https://www.btk.gov.tr/siber-guvenlik-kurulu 

As of the decision dated 11/6/2012 and numbered 2012/3842, regarding the Execution, Management, and Coordination of National Cyber Security Studies, published in the Official Gazette dated 20/10/2012 and numbered 28447, a National Cyber Security Board was established. The decision granted duties and powers in the field of cybersecurity to the Ministry of Transport, Maritime Affairs, and Communications. It also addressed the formation of working groups and temporary committees related to cybersecurity.

The content of the relevant Council of Ministers’ decision was legalized by Law No. 6518, published on 06/02/2014, through Additional Article 1 added to the Electronic Communications Law No. 5809 dated 5/11/2008. Additional paragraphs added to Law No. 5809 granted new responsibilities related to cybersecurity to the Information Technologies and Communication Authority.

 

Accordingly, a “Cyber Security Board” has been established under the chairmanship of the Minister in order to determine the measures to be taken by public institutions, organizations, and individuals regarding cybersecurity, to approve plans, programs, reports, procedures, principles, and standards prepared in this regard, and to ensure their implementation and coordination. The representation level of the ministries and public institutions that will be members of the Cyber Security Board is determined by the Council of Ministers.

The tasks of the Board include:

• Approving policies, strategies, and action plans related to cybersecurity and making the necessary decisions for their effective implementation nationwide.

• Deciding on proposals related to the identification of critical infrastructure.

• Determining institutions and organizations that will be exempt from all or part of the provisions related to cybersecurity. 

• Performing other duties given by laws.

The Cyber Security Board is composed of the following individuals:

• Undersecretariat of the Ministry of Foreign Affairs
• Undersecretariat of the Ministry of Interior Affairs
• Undersecretariat of the Ministry of National Defense
• Undersecretariat of the Ministry of Transport, Maritime Affairs, and Communications
• Undersecretariat of Public Order and Security
• Undersecretariat of the National Intelligence Organization
• Chief of the General Staff, Head of Communications, Electronics, and Information Systems
• President of the Information Technologies and Communication Authority
• President of the Scientific and Technological Research Council of Turkey
• President of the Financial Crimes Investigation Board
• Telecommunications Communication President
• Senior executives of ministries and public institutions to be determined by the Minister of Transport, Maritime Affairs, and Communications.

The powers and duties related to cybersecurity have been granted to the Ministry of Transport, Maritime Affairs, and Communications by the addition of paragraph h to the first paragraph of Article 5 of the Electronic Communications Law No. 5809, dated 5/11/2008.

Ulusal Siber Güvenlik eylem Planı 2020-2023 için tıklayınız

• National Cyber Incident Response Center (USOM)

To address the cybersecurity challenges in our country; 

• identification of threats in the cyber environment,
• development of measures to reduce or eliminate the impact of potential attacks and incidents, 
• and sharing of information with identified actors are undertaken with the aim of…”

“The National Cyber Incident Response Center (USOM, TR-CERT) has been established within the framework of the Information Technologies and Communication Authority.”,

The USOM, established under the Presidency, assesses reports and notifications related to threats emerging in the national and international cyber environment. It coordinates with public institutions and private individuals to detect and eliminate these threats. Incoming reports are tracked and evaluated from the initial stage through the resolution process.

https://www.youtube.com/watch?v=_T65PrFT88c 

• “2019/12 Numbered Presidential Information and Communication Security Measures Directive” 

The transfer of information to digital environments, the ease of access to information, the digitization of infrastructure, and the widespread use of information management systems bring significant security risks. To reduce and neutralize encountered security risks, especially to ensure the security of critical types of data that, when compromised in terms of confidentiality, integrity, or accessibility, could threaten national security or disrupt public order, the following measures are deemed appropriate.

1. Population, health, and communication record information, and the critical information and data, such as genetic and biometric data, will be securely stored within the country.
2. Critical data in public institutions will be kept in a secure network in an environment with restricted internet access where physically secure. Access to devices used in this network will be controlled, and log records will be stored with measures taken against tampering.
3. Data belonging to public institutions will not be stored in cloud storage services, except for the institutions’ own private systems or domestically controlled service providers.
4. Except for domestic mobile applications developed by institutions authorized for encoded or encrypted communication in the legislation, privacy-classified data sharing and communication will not be conducted through mobile applications.
5. Privacy-classified data sharing and communication will not be conducted through social media.
6. The use of local applications for social media and communication applications will be preferred.
7. Security measures such as emanation security (TEMPEST) or similar measures will be taken in places where classified information is processed by public institutions and organizations.
8. Mobile devices and devices with data transfer capabilities will not be kept in workspaces/areas where critical data, documents, and records are located and/or meetings are conducted.
9. Data, documents, and records containing privacy or corporate confidentiality will not be stored on devices (laptops, mobile devices, external drives, etc.) that are not authorized corporately or are personally used.
10. Portable devices (laptops, mobile devices, external drives/disks, CD/DVD, etc.), including those personally used, from unverified sources will not be connected to corporate systems. Devices storing confidential data can only be taken outside the organization if the data inside is encrypted both hardware and/or software; devices used for this purpose will be recorded.
11. The development of domestic and national crypto systems will be encouraged, ensuring that confidential communication within institutions is carried out through these systems.
12. Public institutions and organizations will obtain commitments from manufacturers and/or suppliers, to the extent possible, ensuring that the software or hardware they acquire does not contain any features and backdoors (security vulnerabilities that provide unauthorized access to systems without the knowledge/permission of users) that are not suitable for the intended use.
13. Measures will be taken to ensure the secure development of software. The acquired or developed software will undergo security testing before use.
14. Institutions and organizations will take necessary measures regarding cyber threat notifications.
15. Access authorizations to systems for staff, including top-level executives, will be granted based on the tasks performed and needs.
16. Industrial control systems will be kept offline, and if it is necessary for these systems to be connected to the internet, the required security measures (firewalls, end-to-end tunneling methods, authorization and authentication mechanisms, etc.) will be implemented.
17. Security investigations or archival research will be conducted within the framework of relevant legislation regarding top executives of institutions and organizations with direct impact on national security, as well as critical personnel who will be involved in critical infrastructure, facilities, and projects of strategic importance.
18. The settings of public email systems will be configured to be secure, email servers will be located within our country and under the control of the institution, and communication between servers will be encrypted.
19. Corporate communication will not be conducted from non-corporate personal email addresses, and corporate emails will not be used for personal purposes (private communication, personal social media accounts, etc.).
20. Operators authorized to provide communication services are obliged to establish an internet exchange point in Türkiye. Measures will be taken to prevent domestic communication traffic that should be exchanged domestically from being sent abroad.
21. Operators will not transport data in regions where critical institutions are located through methods such as radiolink; instead, they will use fiber optic cables. Radiolink communication will not be used in critical data communication; however, in cases where its use is mandatory, data will be encrypted using devices with national crypto systems.

In order to ensure the security of critical types of data that could threaten national security or disrupt public order, with the aim of reducing security risks, rendering them ineffective, and securing the confidentiality, integrity, or accessibility of critical data, a “Guide for Information and Communication Security” containing different security levels will be prepared. This guide will be developed under the coordination of the Presidency of the Digital Transformation Office and with the necessary contributions from relevant public institutions and organizations. The guide will be published on www.cbddo.gov.tr. The guide will be updated in consideration of evolving technology, changing conditions, and the need for modifications to the National Cyber Security Strategy and action plans.

All public institutions and organizations, as well as businesses providing critical infrastructure services, are required to adhere to the procedures and principles outlined in the Guide when establishing new information systems. Existing information technology infrastructures will be gradually brought into compliance with these principles in accordance with the plan outlined in the Guide, taking into account the priority of security levels. In the compliance efforts and in the establishment of new information systems, the current version published at the specified address will be taken into consideration.

Excluding the tasks and activities carried out within the scope of ensuring national security and preserving confidentiality, institutions and organizations will establish audit mechanisms for the implementation of the Guide and will conduct audits at least once a year. Corrective and preventive activities carried out after the completion of the audit will be reported to the Digital Transformation Office in accordance with the procedures and principles specified in the Guide.

 

————————————————————————————————————————————————————————–

The copyrights pertaining to these lecture notes and all of their content, including the rights to reproduce, distribute, duplicate, represent, transmit via signals, and publicly communicate through any means of text, sound, and/or visual presentation, are protected by the Turkish Intellectual and Artistic Works Law and related legislation.All these intellectual and moral rights belong to Attorney and Lecturer Ozge EVCI ERALP. These lecture notes cannot be duplicated, published, or used without permission, and they cannot be published on internet websites without obtaining the necessary permissions. Ozge Evci ERALP 2023-2024 

 

Subject 18: Cybersecurity Law

https://www.usom.gov.tr/index.html

• Cybersecurity

Ensuring information security in technological life and devices is critical for everyone in the cyber world. To achieve this information security, the best approach is to implement cybersecurity measures to protect vulnerable devices and environments, such as portable virtual devices, computers, and internet connections, from cyber attacks.

In today’s cyber world, the malicious use of computers and computer networks, along with cyber threats such as viruses, trojan horses, or keyloggers, leads to economic problems amounting to millions of liras.It is widely known that such problems typically arise as a result of identity theft, such as obtaining individuals’ Turkish Identification Numbers, stealing bank accounts, or acquiring credit card numbers. Identity theft not only creates economic problems for individuals but also leads to both financial losses and damage to reputation for financial institutions.Therefore, it is crucial to take cybersecurity measures to protect personal/customer information for both individuals and financial institutions. There is a significant responsibility to raise public awareness about this matter.The most crucial among the mentioned tasks is the protection of data privacy, integrity, and accessibility (PIA) from the perspective of information security.

Organizations that store information must ensure the authenticity, completeness, accessibility, and shareability of both corporate and customer data among authorized individuals.Additionally, the programs created and utilized in line with the stated objectives must perform their functions in accordance with the concepts of data privacy, integrity, and accessibility (PIA). (https://dsy.usom.gov.tr/usom/19/02/190211082958_siber_guvenlige_giris_ve_temel_kavramlar.pdf )

Key Concepts of Information Security

a)Confidentiality: Ensuring that only authorized individuals or systems have access to information systems and data; preventing the unauthorized disclosure of confidential information pertaining to information systems or data by unauthorized individuals or systems.

b)Integrity: The modification of information systems and data is limited to authorized individuals or systems only.

c)Availability: Authorized individuals and processes should be able to access information systems and data at the required time and with the necessary quality.

• Definitions

The definitions in the “Basic Information on Cyber Security” published by USOM are given as follows.

• Access Control: It involves managing access to information, preventing unauthorized access to information systems, disallowing unauthorized user access, protecting services, detecting unauthorized activities, and ensuring information security in remote working environments.
• Identity Verification: It is the authentication mechanism for confirming the role or identity of any individual.
• Authorization: It is the process of determining whether an identity has access to specific resources.
• Asset: It defines valuable information resources that need protection against attacks (such as databases containing Turkish Identification Numbers, credit card information, or personnel databases).
• Security Vulnerability: Weak points and vulnerabilities in a system originating from software and hardware or gaps in the operational rules and/or guidelines of the system.
• Risk: Potential harmful outcomes that may arise as a result of a cyber attack.
• Threat: Possible attack scenarios or vulnerabilities that could lead to harmful outcomes.

• Types of Cyber Attacks

In the guide “Basic Information on Cyber Security” published by USOM, the types of cyber attacks are explained as follows:

In cyberspace, there are numerous types of attacks and threats that necessitate cybersecurity experts to protect their own computers and systems. For example, Trojan horses, viruses, worms, logic bombs, DDoS attacks, social engineering attacks, phishing attacks, etc.

Attackers, using these methods, can cause various harms to compromised computers or computer networks, such as alteration, destruction, service disruption, or data leakage. These damages can result in financial losses for an organization or public institution, and they may also harm its reputation by diminishing trust.

(Malware): In the most general sense, malicious computer programs that are designed to gain unauthorized access to system information or cause serious harm to computer systems. Malware is a broad term encompassing viruses, worms, trojans, rootkits, and spyware. Malware can be used against individuals, processes, and/or technologies. The key and most important point here is that the purpose of malware is to obtain unauthorized access to systems or facilitate the acquisition of critical and important data.

Viruses: Computer viruses, in the broadest sense, are computer codes that replicate themselves within system files or programs. The critical point in understanding viruses is that they need to be executed by a user. This often occurs through actions like opening an email from a user or automatically running a USB drive.

Worms: Similar to viruses, worms are malicious software designed to replicate themselves from one computer to another. The key difference from viruses is that worms automatically spread over a network. Due to their automatic spreading, worms can cause a computer network to slow down over time, leading to delayed loading of internet pages. Common methods of worm propagation include spreading through email attachments, web or FTP links, links sent in ICQ or IRC messages, and through peer-to-peer (P2P) file-sharing networks. Additionally, some worms spread as network packets, entering the computer’s memory directly, and then activating the worm code.

Trojan Horse: These are malicious programs that users install without in-depth knowledge of their content. For example, a user might think they are installing “Flash Player” when, in reality, they are downloading it from a random source rather than from a trusted one like “Adobe.” Generally, programs containing Trojan horses infect computer systems after the file is downloaded and executed. The characteristic feature of Trojan horses is enabling remote control or monitoring of the user’s computer. Computers infected with Trojan horses can be used as “zombie computers.”

Rootkit: A computer program that infects a computer, hides itself among running processes, and is difficult to detect. Unlike viruses, its goal is not to slow down your system or spread. Instead, its purpose is to take control of your computer and conceal its presence in the system, providing remote control to malicious individuals.Initially developed and used to conceal the access of ordinary users to administrative programs and system information in multi-user systems, rootkits can be encountered in malicious applications as well. Running a program believed to come from a trusted source with elevated privileges (such as root) can lead to the installation of a harmful rootkit. Similarly, exploiting vulnerabilities in the kernel or other components in a multi-user system to gain root access and install a rootkit is one of the most common infection methods. Identifying which files a rootkit has actually altered, which module it has loaded into the kernel, where it is registered in the file system, and on which network service it is listening to trigger appropriate commands is challenging. Nevertheless, methods like periodically storing the hash values of essential commands and potential rootkit infection points can be used. This allows later verification to detect any changes.

Phishing: The illicit acquisition of user information, such as usernames, passwords, identification details, credit card details, used for any system, through illegal means. The term “phishing” is a combination of the English words “password” and “fishing,” and its Turkish equivalent is “yemleme.” “Phishers,” as they are known, typically reach individuals through channels like email and request details such as credit card information, pretending to be an official institution. Users who respond to such emails risk having their accounts, passwords, and other private information stolen. For example, one might receive an email formatted to resemble an official bank communication, suggesting the provision of password or credit card information. In response to phishing, all banks and similar institutions emphasize that they never ask users for their private information via email and advise users to forward such emails or requests to them for verification.

Spyware: Spyware programs are created to spy on your computer. Spyware is defined as software that collects important user information and the user’s actions without their knowledge, allowing this information to be sent to malicious individuals. These spyware programs are particularly introduced into systems by Internet users unknowingly, especially compared to other malicious software. Unlike viruses and worms, spyware does not need to spread after infecting a system. Its goal is to ensure privacy on the infected system and gather information. This information can sometimes be crucial, such as a credit card number. Additionally, commercial entities may distribute spyware on the internet to detect user habits online.

Social Engineering; in contrast to approaches that exploit vulnerabilities in computer systems or networks to cause harm, “social engineering” is a method defined by taking advantage of human communication, thinking style, trust, or human weaknesses to render cybersecurity processes ineffective or bypass them. Social engineering methods can be summarized as creating fake scenarios through various lies, presenting oneself to the target as a trustworthy source, or leaking information through simple reward methods.

(Source: “Basic Information on Cyber Security”)

• The sources of cyber attacks 

The sources of cyber attacks are outlined as follows in the Basic Information on Cyber Security published by USOM:

• Hackers & Cyber Criminals: Individuals who gain unauthorized access to personal computers, mobile devices, or organizational – corporate – public computer networks. In the Turkish Language Institute dictionary, they are defined as “individuals knowledgeable in computer and communication technologies, possessing skills above the standard in computer programming, thus developing advanced software and being able to use them.”
• Internal (Insider) Attackers: Individuals within an organization who launch attacks on internal systems for specific purposes.
• Cyber Activists: Individuals or groups who launch attacks on public or private sector cyberspaces to express social or political issues they deem bad or inappropriate within the framework of their worldviews.
• Intelligence Agencies: In the international cyber realm, countries have started to perceive each other as cyber threats. Due to this threat perception, countries are forming cyber defense and cyber attack teams. In addition to attempting to access critical data belonging to other countries, they also continue to launch cyber attacks on the critical infrastructure of target countries.

• Cyber Security Actors in Turkey

• Information and Communication Technologies Authority (BTK)

The Telecommunications Authority, established in January 2000, was transformed into the Information Technologies and Communication Authority (BTK) in November 2008. BTK has primary responsibilities in the following three areas:

• Electronic communications
• Information Technologies
• Postal services 

Within this scope, BTK functions as a regulatory body and is responsible for authorization, supervision, dispute resolution, consumer rights protection, regulation of sector competition, issuing technical guidelines, and spectrum management and monitoring.

• TÜBİTAK (Scientific and Technological Research Council of Türkiye) 

According to the organization text published by TÜBİTAK, “The Scientific and Technological Research Council of Turkey (TÜBİTAK) was established by Law No. 278, which came into effect upon its publication in the Official Gazette dated July 24, 1963 and numbered 11462.” According to the amendment to the Establishment Law, published in the Official Gazette dated September 9, 1993, and numbered 21693, and modified by Decree Law No. 498, the primary objective of the institution, as stipulated in Article 1 of the Establishment Law, is to “develop, encourage, organize, and coordinate research and development activities in positive sciences in Turkey based on the priorities in national development; access existing scientific and technical knowledge and ensure its accessibility.” The institution has “legal personality, administrative, and financial autonomy.” Attached to the Prime Ministry, the institution is subject to private law provisions in cases not specified in its own law.

According to the 2006-2010 Action Plan, TÜBİTAK established the Information Security Management System for four public institutions in 2007 and started organizing Information Technology Security Days for public institutions and private organizations in various activities. TÜBİTAK hosts ULAK-CSIRT, one of the two accredited CSIRTs (Computer Security Incident Response Team) in Turkey, operated for research and educational purposes.

• Cyber Security Board

https://www.btk.gov.tr/siber-guvenlik-kurulu 

As of the decision dated 11/6/2012 and numbered 2012/3842, regarding the Execution, Management, and Coordination of National Cyber Security Studies, published in the Official Gazette dated 20/10/2012 and numbered 28447, a National Cyber Security Board was established. The decision granted duties and powers in the field of cybersecurity to the Ministry of Transport, Maritime Affairs, and Communications. It also addressed the formation of working groups and temporary committees related to cybersecurity.

The content of the relevant Council of Ministers’ decision was legalized by Law No. 6518, published on 06/02/2014, through Additional Article 1 added to the Electronic Communications Law No. 5809 dated 5/11/2008. Additional paragraphs added to Law No. 5809 granted new responsibilities related to cybersecurity to the Information Technologies and Communication Authority.

 

Accordingly, a “Cyber Security Board” has been established under the chairmanship of the Minister in order to determine the measures to be taken by public institutions, organizations, and individuals regarding cybersecurity, to approve plans, programs, reports, procedures, principles, and standards prepared in this regard, and to ensure their implementation and coordination. The representation level of the ministries and public institutions that will be members of the Cyber Security Board is determined by the Council of Ministers.

The tasks of the Board include:

• Approving policies, strategies, and action plans related to cybersecurity and making the necessary decisions for their effective implementation nationwide.

• Deciding on proposals related to the identification of critical infrastructure.

• Determining institutions and organizations that will be exempt from all or part of the provisions related to cybersecurity. 

• Performing other duties given by laws.

The Cyber Security Board is composed of the following individuals:

• Undersecretariat of the Ministry of Foreign Affairs
• Undersecretariat of the Ministry of Interior Affairs
• Undersecretariat of the Ministry of National Defense
• Undersecretariat of the Ministry of Transport, Maritime Affairs, and Communications
• Undersecretariat of Public Order and Security
• Undersecretariat of the National Intelligence Organization
• Chief of the General Staff, Head of Communications, Electronics, and Information Systems
• President of the Information Technologies and Communication Authority
• President of the Scientific and Technological Research Council of Turkey
• President of the Financial Crimes Investigation Board
• Telecommunications Communication President
• Senior executives of ministries and public institutions to be determined by the Minister of Transport, Maritime Affairs, and Communications.

The powers and duties related to cybersecurity have been granted to the Ministry of Transport, Maritime Affairs, and Communications by the addition of paragraph h to the first paragraph of Article 5 of the Electronic Communications Law No. 5809, dated 5/11/2008.

Ulusal Siber Güvenlik eylem Planı 2020-2023 için tıklayınız

• National Cyber Incident Response Center (USOM)

To address the cybersecurity challenges in our country; 

• identification of threats in the cyber environment,
• development of measures to reduce or eliminate the impact of potential attacks and incidents, 
• and sharing of information with identified actors are undertaken with the aim of…”

“The National Cyber Incident Response Center (USOM, TR-CERT) has been established within the framework of the Information Technologies and Communication Authority.”,

The USOM, established under the Presidency, assesses reports and notifications related to threats emerging in the national and international cyber environment. It coordinates with public institutions and private individuals to detect and eliminate these threats. Incoming reports are tracked and evaluated from the initial stage through the resolution process.

https://www.youtube.com/watch?v=_T65PrFT88c 

• “2019/12 Numbered Presidential Information and Communication Security Measures Directive” 

The transfer of information to digital environments, the ease of access to information, the digitization of infrastructure, and the widespread use of information management systems bring significant security risks. To reduce and neutralize encountered security risks, especially to ensure the security of critical types of data that, when compromised in terms of confidentiality, integrity, or accessibility, could threaten national security or disrupt public order, the following measures are deemed appropriate.

1. Population, health, and communication record information, and the critical information and data, such as genetic and biometric data, will be securely stored within the country.
2. Critical data in public institutions will be kept in a secure network in an environment with restricted internet access where physically secure. Access to devices used in this network will be controlled, and log records will be stored with measures taken against tampering.
3. Data belonging to public institutions will not be stored in cloud storage services, except for the institutions’ own private systems or domestically controlled service providers.
4. Except for domestic mobile applications developed by institutions authorized for encoded or encrypted communication in the legislation, privacy-classified data sharing and communication will not be conducted through mobile applications.
5. Privacy-classified data sharing and communication will not be conducted through social media.
6. The use of local applications for social media and communication applications will be preferred.
7. Security measures such as emanation security (TEMPEST) or similar measures will be taken in places where classified information is processed by public institutions and organizations.
8. Mobile devices and devices with data transfer capabilities will not be kept in workspaces/areas where critical data, documents, and records are located and/or meetings are conducted.
9. Data, documents, and records containing privacy or corporate confidentiality will not be stored on devices (laptops, mobile devices, external drives, etc.) that are not authorized corporately or are personally used.
10. Portable devices (laptops, mobile devices, external drives/disks, CD/DVD, etc.), including those personally used, from unverified sources will not be connected to corporate systems. Devices storing confidential data can only be taken outside the organization if the data inside is encrypted both hardware and/or software; devices used for this purpose will be recorded.
11. The development of domestic and national crypto systems will be encouraged, ensuring that confidential communication within institutions is carried out through these systems.
12. Public institutions and organizations will obtain commitments from manufacturers and/or suppliers, to the extent possible, ensuring that the software or hardware they acquire does not contain any features and backdoors (security vulnerabilities that provide unauthorized access to systems without the knowledge/permission of users) that are not suitable for the intended use.
13. Measures will be taken to ensure the secure development of software. The acquired or developed software will undergo security testing before use.
14. Institutions and organizations will take necessary measures regarding cyber threat notifications.
15. Access authorizations to systems for staff, including top-level executives, will be granted based on the tasks performed and needs.
16. Industrial control systems will be kept offline, and if it is necessary for these systems to be connected to the internet, the required security measures (firewalls, end-to-end tunneling methods, authorization and authentication mechanisms, etc.) will be implemented.
17. Security investigations or archival research will be conducted within the framework of relevant legislation regarding top executives of institutions and organizations with direct impact on national security, as well as critical personnel who will be involved in critical infrastructure, facilities, and projects of strategic importance.
18. The settings of public email systems will be configured to be secure, email servers will be located within our country and under the control of the institution, and communication between servers will be encrypted.
19. Corporate communication will not be conducted from non-corporate personal email addresses, and corporate emails will not be used for personal purposes (private communication, personal social media accounts, etc.).
20. Operators authorized to provide communication services are obliged to establish an internet exchange point in Türkiye. Measures will be taken to prevent domestic communication traffic that should be exchanged domestically from being sent abroad.
21. Operators will not transport data in regions where critical institutions are located through methods such as radiolink; instead, they will use fiber optic cables. Radiolink communication will not be used in critical data communication; however, in cases where its use is mandatory, data will be encrypted using devices with national crypto systems.

In order to ensure the security of critical types of data that could threaten national security or disrupt public order, with the aim of reducing security risks, rendering them ineffective, and securing the confidentiality, integrity, or accessibility of critical data, a “Guide for Information and Communication Security” containing different security levels will be prepared. This guide will be developed under the coordination of the Presidency of the Digital Transformation Office and with the necessary contributions from relevant public institutions and organizations. The guide will be published on www.cbddo.gov.tr. The guide will be updated in consideration of evolving technology, changing conditions, and the need for modifications to the National Cyber Security Strategy and action plans.

All public institutions and organizations, as well as businesses providing critical infrastructure services, are required to adhere to the procedures and principles outlined in the Guide when establishing new information systems. Existing information technology infrastructures will be gradually brought into compliance with these principles in accordance with the plan outlined in the Guide, taking into account the priority of security levels. In the compliance efforts and in the establishment of new information systems, the current version published at the specified address will be taken into consideration.

Excluding the tasks and activities carried out within the scope of ensuring national security and preserving confidentiality, institutions and organizations will establish audit mechanisms for the implementation of the Guide and will conduct audits at least once a year. Corrective and preventive activities carried out after the completion of the audit will be reported to the Digital Transformation Office in accordance with the procedures and principles specified in the Guide.

 

————————————————————————————————————————————————————————–

The copyrights pertaining to these lecture notes and all of their content, including the rights to reproduce, distribute, duplicate, represent, transmit via signals, and publicly communicate through any means of text, sound, and/or visual presentation, are protected by the Turkish Intellectual and Artistic Works Law and related legislation.All these intellectual and moral rights belong to Attorney and Lecturer Ozge EVCI ERALP. These lecture notes cannot be duplicated, published, or used without permission, and they cannot be published on internet websites without obtaining the necessary permissions. Ozge Evci ERALP 2023-2024