Advancing Cybersecurity Capacity Building: Implementing a Principle-Based Approach
Executive Summary
Information and communication technologies (ICTs) have become critical catalysts for sustainable development. Yet no country will be able to reap the full potential of ICTs without also building cybersecurity capacity to address the risks associated with connectivity, such as losing trust in digital infrastructures, cybercrime, or even threats to national security. Still, in many nations, and especially those in the process of developing their ICT infrastructures, security often remains an afterthought. But increasing cybersecurity capacity is not only in the interest of individual countries – in a globally connected world where vulnerabilities in one country create risks for others, building resilient systems is crucial. Cybersecurity capacity building (CCB) is key to both mitigating these negative cross-border externalities and maximizing the benefits of ICT-led development.
Cybersecurity Capacity Building Today
Cybersecurity Capacity Building refers to a set of initiatives that empowers individuals, communities, and governments to reap potential gains from investments in digital technologies, or what the World Bank calls “digital dividends.” To do so, an engaged community of experts has formed to set up computer security incident response teams, provide support in developing national cybersecurity strategies, and carry out awareness-raising campaigns, among other initiatives. A number of maturity models have been developed to assess and benchmark cybersecurity capacity, and the Global Forum for Cyber Expertise (GFCE) was created as a first attempt to exchange and pool international expertise on CCB.
Early adopters in governments and international organizations as well as nonstate actors have increasingly recognized the relevance of CCB to address the risks of connectivity: states such as the UK, Netherlands, or the US, international and regional organizations including the OAS, ITU, and the EU and other actors like Oxford University or Microsoft are slowly lending support and resources to building capacity. For some, CCB has even become a tool for foreign policy – as a means to advocate for a particular model of internet governance, create market access for domestic companies, or promote specific technical standards.
Despite international recognition and an increasing number of incentives, the present supply falls short of what is needed to transform cybersecurity from an afterthought into an integral part of expanding connectivity. Efforts are often under-funded and uncoordinated – both within and between countries – and only few lessons learned and best practices are available. There is little exchange, let alone integration, between cybersecurity and development actors as well as diplomats. As a result, awareness of capacity building pitfalls that have plagued efforts in other areas is increasing slowly.
Five Principles to Address Current Gaps
To help close aforementioned gaps in ongoing efforts and to provide guidance on scaling CCB going forward, we advocate for a principle-based approach. Based on interviews we conducted with over forty experts in the field as well as a broad literature review, we suggest the following five guiding principles: national and international coordination and cooperation; integration of cybersecurity and development expertise; ownership of the recipient-country; sustainability of efforts; and continued and mutual learning.
For each of the principles, we suggest a goal – that is, an ideal set-up –, analyze the status quo, and provide recommendations on how to work towards the goal. Our key take-aways are:
- For better coordination and cooperation, we urge governments to develop an explicit national CCB approach to enhance the prioritization of efforts, streamline the domestic institutional setup across actors and work with civil society, academia, and the private sector to build efforts on a broad basis. Globally, it is important to push for the strengthening of an international forum, such as the GFCE, to enable cross-sector communication and knowledge exchange regarding efforts and best practices. When it comes to planning specific projects, regional organizations are key catalysts.
- To integrate efforts between different communities, cybersecurity and development experts must step outside their respective silos. This can include simple steps such as addressing differences in terminology. While projects and areas of work can remain separate, it should be clear that both work towards a similar goal, ideally in joint projects.
- To improve ownership, we urge international actors to develop strategies along with recipient countries and – where possible – ensure high-level and sustained institutional backing. Maturity assessments, such as the Cybersecurity Maturity Model (CMM), can play an important role in not only benchmarking existing capacity, but also bringing together relevant national stakeholders for conversation on CCB.
- To ensure the sustainability of efforts, CCB projects need to explicitly define who needs what capacity for what purpose. This trifold approach borrows from existing capacity building practices. As such, there is an opportunity not to start from scratch, but rather take inspiration from capacity building expertise in other areas, as well as established methods and instruments.
- Finally, to ensure continued and mutual learning about which measures have (not) worked and why, there is a need to increase the transparency of outcomes and improve models for measurement as well as evaluation. At the same time, a lack of examples and best practices should not deter action; rather, at this early stage, more projects need to be carried out, with learning happening in the process.
The Need for Political Leadership
As these recommendations show, there is an opportunity to make use of both cybersecurity expertise and existing knowledge and experience on how (not) to build capacity abroad, especially in the cybersecurity, development and diplomatic communities. However, CCB currently lacks the necessary top-level leadership attention and support to seize this opportunity. Depending on the direction that leadership takes, CCB will either “muddle through” or “keep pace”– two plausible scenarios that we develop at the end of the study. In both, exponential growth in connectivity appears to be a given; less certain is how cybersecurity capacity will evolve.
Germany is one of the countries that is well placed to take on a key role in the field. While current efforts are still at a nascent stage, Germany has one of the world’s most advanced ICT systems, boasts a strong international network, and can draw upon capacity building efforts in other areas. First, Germany should lead by example in terms of its domestic setup. This means devising a clear strategy that cuts across the turf concerns of different organizations and involves government and non-government actors alike. In parallel, a discussion needs to take place on how to mobilize funding – a conversation that needs to specifically include the Bundestag. Based on a strong domestic performance, Germany could become a catalyst for global action: utilizing its diplomatic relations with countries from the Global South, Germany could advocate for investing in resilient ICT infrastructures, provide necessary CCB measures in partner countries, and support the strengthening of multilateral efforts.
…