Help is on offer for governments looking to develop national cyber-security strategies from scratch or move beyond first-generation policies.
The 76-page "Guide to developing a national cybersecurity strategy" from the International Telecommunication Union (ITU) is billed as a ‘one-stop resource’ for governments, covering the purpose and content of a strategy plus actionable guidance on how to develop it.
If the security risks associated with the proliferation of ICT-enabled infrastructure and Internet applications are not appropriately balanced with comprehensive national cybersecurity strategies and resilience plans, countries will be unable to achieve the economic growth and the national security goals they are seeking.
By developing and implementing a National Cybersecurity Strategy, a nation can improve the security of its digital infrastructure and ultimately contribute to its broader socio-economic aspirations. National leaders need to be strategic about the opportunities offered and the risks posed to their countries by the digital environment; they also need to establish a clear vision of the digital future they wish to create.
Aimed primarily at policymakers responsible for developing their nation’s cyber-security strategy, it is filled with examples of existing best practice, models and resources and sources of assistance. It also contains tools to help evaluate existing and proposed strategies.
According to Brahima Sanou, director of the ITU telecommunications development bureau, despite the threat to their security, only 76 out of 195 countries in the world have published national cyber-security strategies. The quality of the strategies and their implementation vary widely, leaving many countries open to attack.
In 2016, Liberia’s internet infrastructure was subjected to one of the largest DDoS attacks seen to date. Peaking at more than 500Gbps, the attack took the country offline repeatedly over a period of months. This week, the perpetrator of that attack, British citizen Daniel Kaye, was sentenced in a UK court to 2½ years in jail after admitting three charges against him.
The ITU says the guide has been developed by organisations with diverse experience and hopes that it can help countries like Liberia develop and strengthen their cyber-security policies in line with their socio-economic development strategies and cultural and societal values.
It does not cover the development of offensive or defensive cyber-capabilities by military or intelligence services.
It is organised to follow the process of the development of a strategy, outlining:
the strategic development lifecycle
overarching principles for a strategy
focus areas and good practice
It also provides supporting reference materials.
Melissa Hathaway, from the Cyber Readiness team at the Potomac Institute for Policy Studies (PIPS), was involved in the development of the guide and said, "This was the largest, and hopefully the most impactful, effort to date to bring intergovernmental and international organisations, as well as private sector, academia, and civil society together to produce a comprehensive overview of how to develop and implement a national cyber-security strategy."
She added: "The Guide provides an overview of the core components of what it takes for a country to become cyber-prepared, highlighting the critical aspects that governments should consider when developing their national strategies and implementation plans, as well as describing ‘how’ to build, implement, and review it."
Joanna Swiatkowska, senior research fellow at the Kosciuszko Institute and programme director of European Cybersecurity Forum – CYBERSEC, told SC Media UK that the ITU’s guide is an important contribution in the development of national cyber-security capabilities.
"Having a well-prepared, mature national cyber-security strategy is a key element of building the whole cyber-security posture," she said. "Using the ITU’s tool may help them to leapfrog the early generation of strategies, where various stakeholders try to figure out how to set up different elements."
And it will be useful for countries that have developed first-generation policies. "Preparing strategies is not a one-time task. This is a process and it is useful to prepare next-generation strategies with the help of different tools," she added. "ITU material is also interesting because it is prepared with the participation of private sector representatives, so it brings their know-how to the development of the strategies."
Kevin Brown, managing director of BT Security, told SC: "We welcome frameworks and guidelines that help the adoption of best practices and common definitions across the cyber industry. More importantly, we are eager to see both countries and organisations embrace this with clear and demonstrable activity."
He added: "We have a large global organisation that engages with private and public sector customers, so our standards and engagements are well-established. However, as the ITU states, with only 76 countries having a clear cyber strategy, further clarifications and agreements in creating clear and aligned security standards are welcome."
Organisations involved in the development of the guide were:
- Commonwealth Secretariat (ComSec)
- Commonwealth Telecommunications Organisation (CTO)
- Geneva Centre for Security Policy (GCSP)
- Global Cyber Security Capacity Centre (GCSCC) at the University of Oxford
- International Telecommunication Union (ITU)
- NATO Cooperative Cyber Defence Centre Of Excellence (NATO CCD COE)
- Potomac Institute for Policy Studies
- RAND Europe
- World Bank
- United Nations Conference on Trade and Development (UNCTAD).
It was written by a team including:
- Katalaina Sapolu (ComSec)
- Shadrach Haruna (ComSec)
- Martin Koyabe (CTO)
- Fargani Tambeayuk (CTO)
- Andrea Rigoni (Deloitte)
- Carolin Weisser (GCSCC)
- Marco Obiso (ITU)
- Kaja Ciglic (Microsoft)
- Kadri Kaska (NATO CCD COE)
- Francesca Spidalieri (the Potomac Institute for Policy Studies)
- and Melissa Hathaway (the Potomac Institute for Policy Studies)
- Erik Silfversten (RAND Europe)
- David Satola and Sandra Sergeant (The World Bank)
- Cecile Barayre (UNCTAD)