2. Introduction

Since their emergence, information and communication technologies (ICTs) and digital services have evolved to become the backbone of modern business, critical services and infrastructure, social networks, and the global economy as a whole.

As a result, national leaders have launched digital strategies and funded projects to increase internet connectivity and leverage the benefits of digital technologies to stimulate economic growth, enhance productivity and efficiency, improve service delivery and capacity, provide access to business and information, enable e-learning, strengthen workforce skills, and promote good governance. Countries cannot ignore the opportunities associated with greater connectivity and participation in the digital economy.

While the reliance on digital infrastructure is growing, the technology remains inherently vulnerable. The confidentiality, integrity, and availability of data, information systems, and digital infrastructure are challenged by rapidly evolving cybersecurity risks, including electronic fraud, theft of intellectual property and personally identifiable information, disruption of services, and damage or destruction of physical and digital assets. The transformational power of digital technologies and the internet as catalysts for economic growth and social development is at a critical point, as citizens’ and nations’ trust and confidence in the use of these technologies are increasingly undermined by cyber insecurity and the exploitation of vulnerabilities.

To fully realize the potential of technology, countries must align their national economic visions with their national security priorities. If the security risks associated with the proliferation of digitally-enabled infrastructure and internet applications are not appropriately balanced with comprehensive national cybersecurity strategies and resilience plans, countries will be unable to achieve the economic growth and national security goals they seek. In response, governments are developing both offensive and defensive capabilities to defend themselves from illicit and illegal activities in cyberspace and to pre-empt incidents before they can cause harm. This document focuses specifically on defensive and proactive responses, particularly in the form of national cybersecurity strategies.

Several national and international definitions of the term “cybersecurity” exist. For the purpose of this document, the term “cybersecurity” refers to the collection of tools, policies, guidelines, risk management approaches, actions, training, best practices, assurance measures, and technologies that can be used to protect the availability, integrity, and confidentiality of assets in the connected infrastructures of government, private organizations, and citizens. These assets include connected computing devices, personnel, infrastructure, applications, digital services, telecommunications systems, and data within the digital environment.

National cybersecurity strategies can take many forms and can go into varying levels of detail, depending on a country’s objectives and cybersecurity maturity. Therefore, there is no established or universally agreed definition of what constitutes a National Cybersecurity Strategy.

Relying on existing research in this area, this document encourages stakeholders to think of a National Cybersecurity Strategy as:

• an expression of the vision, high-level objectives, principles, and priorities that guide a country in addressing cybersecurity;
• an overview of the stakeholders responsible for strengthening national cybersecurity and their respective roles and responsibilities; and
• a description of the steps, programs, and initiatives that a country will undertake to protect its national digital infrastructure, and in the process, increase its security and resilience.

Setting the vision, objectives, and priorities upfront enables governments to look at cybersecurity holistically across their national digital ecosystem, rather than focusing narrowly on one sector, responding only to particular risks, or reacting to specific incidents – it allows them to be strategic. Priorities for national cybersecurity strategies vary by country: while some may focus on protecting critical infrastructure, others may prioritize intellectual property protection, promoting trust in the digital environment, or improving cybersecurity awareness of the general public – or a combination of these objectives.

The need to identify and prioritize investments and resources for the strategy development and implementation, as well as for related programs and initiatives, is critical to successfully managing risks in an area as all-encompassing as cybersecurity.

A National Cybersecurity Strategy also provides the opportunity to align cybersecurity priorities with broader ICT-related objectives. Cybersecurity is central to achieving the socio-economic objectives of modern economies, and the Strategy should reflect how those are supported. This can be achieved by referencing existing policies that implement a country’s digital or developmental agendas, or by incorporating cybersecurity into them.

Finally, a National Cybersecurity Strategy development process should translate a government’s vision into coherent and implementable policies that will help achieve its objectives. This includes not only the steps, programs, and initiatives to be implemented, but also the resources allocated for those efforts and how they should be used. Similarly, the process should identify the metrics and performance indicators to ensure that desired outcomes are achieved within set budgets and timelines.