Portuguese Official Journal, Series 1 — No. 108 — 5
June, 2019
that results from the interaction between people, networks and
information systems.
Cybersecurity consists of a set of preventive, monitoring,
detection, reaction, analysis and correction measures and
actions aimed at maintaining the desired security level and
guaranteeing the confidentiality, integrity, availability and
non-repudiation of the information, networks and information
systems in the cyberspace, and the people that interact in it.
Cyberdefence is the activity aimed at securing the national
defence in or through cyberspace.
By cybercrime it´s understood the facts corresponding to
crimes typified in the Cybercrime Law and to other criminal
offenses committed using technological means, in which these
means are essential to the execution of the crime in question.
Having presented the conceptual basis, should be
mentioned that this Strategy builds on the existing law
governing sovereign international relations, in particular the
United Nations Charter and the International Humanitarian
Law, as well as the international conventions governing the
protection done by States of the fundamental rights and
freedoms, in particular the Universal Declaration and the
Covenant on Civil and Political Rights, and the corresponding
European law, such as the European Convention on Human
Rights and the Charter of Fundamental Rights of the European
Union. It is also based on the general principles of State
sovereignty, the protection of the freedom of expression, of the
personal data and privacy, the outlines of the European Union
Cyber Security Strategy, and the North Atlantic Treaty
Organization's cyber defence policy; commitments done with
the objectives of being resilient and having the capacity of
quick and effective response to cyber-attacks. Thus, this
Strategy is based on the following principles:
Subsidiarity principle:
Portugal states its strong commitment on the security of
cyberspace. Considering that much of the technological
infrastructure that makes up the cyberspace is owned by
private sector entities, it is their primary responsibility to
protect it. This responsibility begins in the individual himself,
through the responsible way by which he uses cyberspace, and
ends with the State, as the guardian of sovereignty and the
constitutional principles.
Complementarity principle:
The security of cyberspace is a shared responsibility between
the different actors, whether public or private, collective or
individual. An inclusive, comprehensive and integrative
approach to cybersecurity requires different responsibilities
and capabilities to the benefit of the common interest.
The interdependence of technological infrastructures, and
the consequent probability of the propagation of the impacts
resulting from incidents, requires a complementary and
reliable action, based on the awareness of the duty of
reinforced cooperation between national structures and
entities, considering such dependencies in order to maximize
the digital protection and the digital resilience.
Proportionality principle:
Cyberspace security is also the result of a complex, verifiable
and continuous exercise in assessing the risks associated with
the digital ecosystem. Accordingly, the adequacy and
allocation of resources should be proportional to the risks
2889
identified and to the execution of the action lines contained in
this Strategy.
2 — Analysis of the context
When the first National Strategy for Cyberspace Security
was approved in 2015, the technological emergence and its
impact on our society was already evident.
The trend towards a growing increase of the dependence on
information and communication technologies and the
emergence of new phenomena with a direct impact on social
development have also brought about, in connected societies
like ours, significant opportunities for those wishing to
compromise our network and information systems for
potentially harmful purposes on the well-being of the
Portuguese society.
In a strategic environment, in which the geopolitical
landscape is in constant change, the threats on the cyberspace
of national interest are originated from different agents and
have different typologies and motivations.
The threats from state agents, which increase the risks of
extending to armed conflict, stem from the political, military
and economic motivation on which these actors, under the
anonymity of cyberspace, seek to achieve their strategic
objectives through cyber-espionage, interference and
disinformation operations in a digital environment, including
cyber sabotage actions aimed at reaching critical
infrastructures and disrupting essential services to the proper
functioning of society.
On the other hand, threats from non-state actors are often of
criminal origin, with pecuniary motives, although there are
also politically and ideologically motivated actions, as well as
others aimed to denigrate institutional images and diminish the
reputation of targets.
Through the massive exploitation of the use of malware (or
«malicious code»), identity anonymization tools and the
transnational character of cyberspace, organized cybercrime
structures are increasingly present in the criminal landscape,
not only directly but also placing their technical capabilities at
the service of traditional criminal structures.
Also, traditional cybercrime targets have been expanding
with mass ransomware and payment methods that allow for
seemingly anonymous financial transactions. Similarly, the
growth of Internet-connected devices, known as the Internetof-Things, could contribute to an increase in attack vectors
available to organized cybercrime structures.
With regard to terrorism and its support activities, some of
the most frequent and visible offensive uses of information
and communication technologies by organizations and
individuals associated with terrorism include, namely, actions
aimed at the unauthorized alteration of the contents of national
Internet sites and the public exfiltration and disclosure of
information or personal data without the consent of the
respective subject for that purpose.
Finally, while active radicalization and mobilization
phenomena are not restricted to the online aspect, it is worth
mentioning the impact of services and social networks and
instantaneous communication platforms on these phenomena,
and in general, on the phenomenon of the distribution of
propaganda or apologetic content of major terrorist
organizations. Indeed, online communication services allow
an almost permanent contact between radicalized individuals
and the ones who do the radicalization, regardless of
geography, as well as the dissemination and saturation of