The NCS Guide 2021
The Guide to Developing a National Cybersecurity Strategy is one of the most comprehensive overviews of what constitute successful cybersecurity strategies. It is the result of a unique, collaborative, and equitable multi-stakeholder effort.
The partners came together with an appreciation of the need to strengthen cooperation and coordination across the international community on cybersecurity capacity-building. The objective of this effort is to support national leaders and policymakers in the development of defensive and proactive responses to cyber risks, in the form of a National Cybersecurity Strategy, and in thinking strategically about cybersecurity, cyber-preparedness, response and resilience, and building confidence and security in the use of ICTs.
The Guide was developed through an iterative approach, which sought to reach agreement through consensus-building. It is based on existing resources and aims to facilitate its use by national stakeholders. Wherever possible, the relevant sources and tools used to develop each set of recommendations are listed in the Reference section to encourage their broader use.
Cybersecurity is a foundational element underpinning the achievement of socio-economic objectives of modern economies. The hope is that this second edition of the Guide to Developing a National Cybersecurity Strategy can continue to serve as a useful tool for all stakeholders involved in the development and implementation of this type of official document, including national policymakers, legislators, and regulators with cybersecurity responsibilities. In addition, it might have broader applicability, as the concepts introduced can be applied at the regional or municipal levels, as well as adapted for industry or used for academic research.
Note to readers on the update
Version 2 of the Guide to Developing a National Cybersecurity Strategy updates, refines, clarifies, and expands on Version 1, which was published in 2018. Since then, the cyber risk landscape has evolved and become increasingly more complex, and this iteration attempts to capture the main cybersecurity trends that should be taken into consideration in the national strategic planning. While Version 2 expands and enhances the content of version 1, it does not change the structure of the Guide nor the level of detail. Compatibility with version 1 has been an explicit objective of this revision. The updates made can be summarized as follows:
- Importance of funding with intent and investing in necessary resources: more detailed language has been incorporated to emphasize the need to invest in the necessary economic, human, and organisational resources for the full lifecycle of the Strategy (development, implementation, and revision);
- Stakeholders involvement: this version reiterates the crucial role of the private sector and civil society in the processes of incident response and management, information sharing, and awareness raising both domestically and abroad. Also, more emphasis is given to the role that international stakeholders can play in the development and implementation of a national cybersecurity strategy. There are a wide variety of international organisations, non-governmental organisations, and multilateral organisations that specialise in supporting national governments;
- Resilience and interdependencies: the updated content stresses the importance of considering a country’s internet-infrastructure entanglements and the resulting dependencies and vulnerabilities, the interconnections and interdependencies across sectors, and other supply chain risks. It provides more detailed good practices to encourage cooperation among different stakeholders to address increasing risks and improve resilience in the face of the expanding threat landscape;
- Multidisciplinary approach to cyber capacity building: this version of the Guide recognises that cybersecurity applies to all verticals of society, and provides more detailed recommendations to develop capacity building activities that are inclusive and multidisciplinary, including policy, law enforcement, education, awareness, and diplomacy efforts;
- Legislation, regulation, and human rights: this version has significantly expanded the coverage of good practices relating to the development of domestic cybersecurity and cybercrime legislation and regulation, and on the safeguarding of human rights and liberties.
- International cooperation: the updated Guide further emphasises the areas that a Strategy could cover in terms of cybersecurity cooperation and engagement at the regional and international levels, including on international trade agreements, regional economic partnerships, and voluntary norms of responsible state behaviour in cyberspace. It stresses the importance of international law enforcement cooperation and formal or informal mechanisms to share information, build trust, and support cross-border cooperation in combating cybercrime and other cyber-enabled crimes.
The 2021 Guide in Detail
1. Document Overview
The purpose of this document is to guide national leaders and policy-makers in the development of a National Cybersecurity Strategy, and in thinking strategically about cybersecurity, cyber preparedness and resilience.
2. Introduction
Since its creation, Information and Communication Technology has evolved to become the backbone of modern business, critical services and infrastructure, social networks, and the global economy as a whole.
3. Lifecycle of a National Cybersecurity Strategy
This Section provides an overview of the various phases in the development of a Strategy.
4. Overarching Principles
This Section presents nine cross-cutting principles, which taken together can help in the development of a forward-looking and holistic National Cybersecurity Strategy.
5. National Cybersecurity Strategy Good Practice
Cybersecurity affects many areas of socio-economic development and is influenced by several factors within the national context.
6. Reference Materials
In the process of updating this Guide, a stocktaking of existing guides and best practices was conducted.
Joint foreword
Over the last two decades, people worldwide have benefitted from the growth and adoption of information and communication technologies (ICTs) and associated socio-economic and political opportunities. Digital transformation can be a powerful enabler of inclusive and sustainable development, but only if the underlying infrastructure and services that depend on it are safe, secure, and resilient. To reap the benefits and manage the challenges of digitalization, countries need to frame the proliferation of ICT-enabled infrastructures and services within a comprehensive national cybersecurity strategy.
To help governments in this endeavour, a consortium of partner organisations jointly developed and published the first Guide to Developing a National Cybersecurity Strategy (NCS) in 2018. Since then, the number of national cybersecurity strategies or frameworks worldwide has increased significantly. In 2018, only 76 countries had adopted a strategy while today more than 127 countries have such strategies in place, and many have used the Guide as a reference and blueprint.1
However, the fast-changing nature of cyberspace, the increased dependency on ICT, and the proliferation of digital risks all call for continuous improvements to national cybersecurity strategies. Most countries have both accelerated their digital transformation and become increasingly concerned about the immediate and future threats to their critical services, infrastructures, sectors, institutions, and businesses, as well as to international peace and security, that could result from the misuse of digital technologies and inadequate resilience.
This second edition of the Guide could not come at a more critical time. The updated content reflects the complex and evolving nature of cyberspace, as well as the main trends that can impact cybersecurity and should, therefore, be included into national strategic planning. The objective of the Guide is to instigate strategic thinking and continue supporting national leaders and policy-makers in the ongoing development, establishment, and implementation of such national cybersecurity strategies and policies. We are confident that this new Guide will serve as a useful tool for all stakeholders with cybersecurity responsibilities.
As in the previous edition, this Guide is the result of a unique, collaborative, and equitable multi-stakeholder cooperation effort among partners working in the field of national cybersecurity strategies, policies, and cyber capacity-building. Twenty expert organisations from the public and private sectors, as well as academia and civil society, shared their experience, knowledge, and expertise to produce this updated Guide, which draws from existing know-how from the participating organisations, as well as references to complementary publications and other available resources.
We would like to express our gratitude to the partners involved for their invaluable support and commitment in making this project a great achievement as a concrete example of a successful multistakeholder collaboration. We want to encourage this partnership to continue to collaborate and we look forward to working even more closely with governments, regional and international bodies, law enforcement, academia, the private sector, civil society, and the United Nations entities to promote strategic reflections on cybersecurity, cyber capacity-building, and cyber resilience.
Jointly signed by:
Mr. Jorge Martínez Morando
Partner, Axon Partners Group Consulting
Mr. Alexander Seger
Head of Cybercrime Division, Council of Europe
Ms. Lessie Longstreet
Global Director, Outreach and Partner Engagement, Cyber Readiness Institute
Dr. Luis Franceschi
Senior Director, Governance and Peace Directorate, Commonwealth Secretariat
Ms. Bernadette Lewis
Secretary General, Commonwealth Telecommunication Organisation
Ambassador Thomas Guerber
Director, Geneva Centre for Security Sector Governance
Mr. Andrea Rigoni
Partner and Global Governments & Public Services Cyber Leader, Deloitte
Mr. Chris Gibson
Executive Director, Forum of Incident Response and Security Teams
Prof. Sadie Creese
Director, Global Cyber Security Capacity Centre
Ambassador Thomas Greminger
Director, Geneva Centre for Security Policy
Mr. David van Duren
Director, Global Forum on Cyber Expertise Secretariat
Ms. Lea Kaspar
Executive Director, Global Partners Digital
Mr Craig Jones
Director of Cybercrime, INTERPOL
Ms. Doreen Bogdan-Martin
Director, Telecommunication Development Bureau, International Telecommunication Union
Ms. Amanda Craig
Senior Director, Cybersecurity Policy, Microsoft
Col. Jaak Tarien
Director, NATO Cooperative Cyber Defence Centre of Excellence
Ms. Melissa Hathaway
President, Hathaway Global Strategies LLC, and Senior Fellow at the Potomac Institute for Policy Studies
Ms. Nicole Klingen
Acting Director, Digital Development, The World Bank
Dr. Robin Geiss
Director, United Nationas Institute for Disarmament Reasearch
Dr. Jehangir Khan
Director, United Nations Counter-Terrorism Centre, United Nations Office of Counter-Terrorism
Dr. Jingbo Huang
Director, United Nations University institute in Macau
Mr. Georges de Moura
Head of Industry Solution, Center for Cybersecurity, World Economic Forum
1 Global Cybersecurity Index reports 2018 and 2020 https://www.itu.int/en/ITU-D/Cybersecurity/Pages/global-cybersecurity-index.aspx
Document Overview
The purpose of this document is to guide national leaders and policy-makers in the development of a National Cybersecurity Strategy, and in thinking strategically about cybersecurity, cyber-preparedness and resilience.
This Guide aims to provide a useful, flexible and user-friendly framework to set the context of a country’s socio-economic vision and current security posture and to assist policy-makers in the development of a Strategy that takes into consideration a country’s specific situation, cultural and societal values, and that encourages the pursuit of secure, resilient, ICT-enhanced and connected societies.
The Guide is a unique resource, as it provides a framework that has been agreed on by organisations with demonstrated and diverse experience in this topic area and builds on their prior work in this space. As such, it offers the most comprehensive overview to date of what constitutes successful national cybersecurity strategies.
Introduction
Since its creation, Information and Communication Technology has evolved to become the backbone of modern business, critical services and infrastructure, social networks, and the global economy as a whole.
As a result, national leaders have started to launch digital strategies and to fund projects that increase Internet connectivity and leverage the benefits stemming from the use of ICTs, to stimulate economic growth, to increase productivity and efficiency, to improve service delivery and capacity, to provide access to business and information, to enable e-learning, to enhance workforce skills and to promote good governance. Countries cannot ignore the opportunities associated with becoming connected and participating in the Internet economy.
Lifecycle of a National Cybersecurity Strategy
This Section provides an overview of the various phases in the development of a Strategy, which include
-
Phase I – Initiation
-
Phase II – Stocktaking and analysis
-
Phase III – Production
-
Phase IV – Implementation
-
Phase V – Monitoring and Evaluation
This Section also introduces the key entities that should be involved in the development of the Strategy and highlights other relevant stakeholders that could contribute to the process.
This Section ultimately aims to provide the reader with an understanding of the steps to be taken by a nation in order to draft a National Strategy and the possible mechanisms for its implementation according to the nation’s specific needs and requirements, integrating the overarching principles (described in Section 4) and good practice (described in Section 5).
This lifecycle, as illustrated in Figure 1, guides users of this document in focusing on strategic thinking about cybersecurity at the national level.
Overarching Principles
This Section presents nine cross-cutting principles, which taken together can help in the development of a forward-looking and holistic National Cybersecurity Strategy.
These principles are applicable to all key focus areas identified in this document. They should be considered in all steps of a National Strategy development process, from the drafting of the National Strategy document to its implementation. The order of these principles reflects a logical narrative rather than an order of importance.
National Cybersecurity Strategy Good Practice
Cybersecurity affects many areas of socio-economic development and is influenced by several factors within the national context.
Therefore, this Section introduces a set of good-practice elements that can make the Strategy comprehensive and effective, while allowing for tailoring to the national context.
These good-practice elements are grouped into distinct focus areas – effectively overarching themes for a National Cybersecurity Strategy. While both the focus areas and the good-practice elements have been put forward here as examples of good practice, it is particularly important that the latter are viewed in the national context, as some may not be relevant to a country’s specific situation. Countries should identify and follow the good-practice elements that support their own objectives and priorities in line with the vision defined in their Strategy (Section 4). The order of the individual elements or focus areas below should not be seen as indicating a level of importance or priority.
Reference Materials
In the process of updating this Guide, a stocktaking of existing guides and best practices was conducted.
This allowed us to identify materials already available to support countries in developing their National Cybersecurity Strategy. The list below provides a comprehensive catalogue of the abovementioned materials, including web links.