Cybersecurity affects many areas of socio-economic development and is influenced by several factors within the national context.
Therefore, this Section introduces a set of good-practice elements that can make the Strategy comprehensive and effective, while allowing for tailoring to the national context.
These good-practice elements are grouped into distinct focus areas – effectively overarching themes for a National Cybersecurity Strategy. While both the focus areas and the good-practice elements have been put forward here as examples of good practice, it is particularly important that the latter are viewed in the national context, as some may not be relevant to a country’s specific situation. Countries should identify and follow the good-practice elements that support their own objectives and priorities in line with the vision defined in their Strategy (Section 4). The order of the individual elements or focus areas below should not be seen as indicating a level of importance or priority.
5.1 Focus Area 1 – Governance
This focus area introduces good-practice elements to consider for inclusion in the text of the Strategy when addressing the governance structure for national cybersecurity (including all entities with responsibilities and authorities for advancing the digital economy and reducing risk from cyber insecurity). The Strategy should clearly state the objectives and outcomes the government has for the country to increase its resilience and reduce risks to its companies, critical infrastructures, services, and assets. The Strategy should clearly identify the roles and responsibilities of the stakeholders tasked with its implementation and introduce measures to hold authorities and officials accountable for the implementation, monitoring, evaluation, and outcome of the Strategy (see Lifecycle of a National Cybersecurity Strategy).
To that end, the Strategy should identify and empower the competent authority accountable for the execution of the Strategy; establish a mechanism to identify and task the government entities affected by, or responsible for, the implementation of the Strategy; commit to include specific, measurable, attainable, result-based, and time-based objectives in the implementation plan for the Strategy; and recognise the need to commit resources (e.g., political will, funding, time, and people) to achieve the desired outcomes.
5.1.1 Ensure the highest level of support
The Strategy should have the formal endorsement of the highest level of government. This endorsement serves two important purposes. Firstly, it improves the likelihood that sufficient resources will be allocated and that coordination efforts will be successful. Secondly, it signals to the broader national ecosystem that the country’s cybersecurity is intertwined with its digital economy and other social and political aspects that depend on digital systems, and must be a national priority.
The Strategy may also need to be codified in the domestic legal framework in order to obtain national relevance and prioritization.
5.1.2 Establish a competent cybersecurity authority
The Strategy should identify a dedicated national competent authority who has the responsibility for executing the Strategy. This authority should be a leader (whether an individual or an entity) who is elevated and strongly anchored at the highest level of government to provide direction, to coordinate action, and to monitor the implementation of the Strategy. The competent authority should also be responsible for reporting on the progress and outcome of the Strategy.
Such a national competent authority should also act as management entity to define and clarify roles, responsibilities, processes, decision rights, and the tasks required to ensure effective implementation of the Strategy. This includes identifying the stakeholders who will oversee the implementation of the Strategy and establishing performance targets for various ministerial or governmental departments, institutions, or individuals responsible for specific aspects of the Strategy and subsequent action plan. In some cases, the position of national competent authority for cybersecurity may have to be formalized in policy or law to empower it to perform its missions.
Given the fact that cybersecurity intersects many different issue areas, it is important to ensure that the national-competent authority has the ability to involve and direct relevant stakeholders. This too may require additional legislation that mandates government entities to report back to the national competent authority about their progress on achieving the Strategy’s outcomes in measurable terms. Using key performance indicators (KPIs) is an effective way to assess progress.
5.1.3 Ensure intra-governmental cooperation
The Strategy should establish a mechanism to identify and include the government entities affected by or responsible for its implementation. Intra-governmental commitment, coordination, and cooperation are core functions of those governmental institutions, needed to ensure that the governance mechanisms (e.g., standards, regulations, market incentives, etc.) and resources yield the desired outcomes of the Strategy. Having a well-established and high-level national cybersecurity competent authority will also help enhance intra-government coordination and cooperation.
Effective communication and coordination ensure that all ministries and government agencies are aware of each other’s respective authorities, missions, and tasks. Commitment, however, is about supporting consistent policies over time to ensure that promises in the Strategy are delivered. An example of a coordination mechanism would be conducting periodic meetings that involve all relevant stakeholders in the plans of actions that are to be jointly reviewed. An example of a cooperation mechanism would be the creation of an intra-government task force to address a particular issue. An example of commitment is consistency between the country’s domestic and foreign policy agendas, so that one ministry does not undermine the credibility of another by representing different positions on the same policy issue area (e.g., trade flow vs. export control of dual-use technologies).
5.1.4 Ensure inter-sectoral cooperation
The Strategy should reflect an understanding of the dependencies that the government has on the private sector and other national non-governmental stakeholders (and vice-versa) in achieving a more secure, safe, and resilient ecosystem (Principle of Inclusiveness). To this end, the Strategy should articulate how the government will engage these different stakeholders and define their roles and responsibilities. For example, the Strategy should identify a network of authoritative national contact points for critical industries that are essential for the operation and recovery of critical services and infrastructures.
The Strategy should be aligned with other national priorities, such as ensuring connectivity is affordable, available, and inclusive; advancing data protection and privacy while promoting innovation; strengthening infrastructures resilience and service availability to disasters, climate change, and pandemics; exploring new technologies like AI, blockchain, quantum computing; etc. (Principle 2 on “Comprehensive Approach and Tailored Priorities”).
5.1.5 Allocate dedicated budget and resources
The Strategy should specify the allocation of dedicated and appropriate resources for its implementation, maintenance, and revision. Sufficient, consistent and continuous funding provides the foundations for an effective national cybersecurity posture.
Resources should be defined in terms of money (i.e., dedicated budget), people, and, materiel. Successful execution also requires political commitment and leadership, underpinned by trusted partnerships. The objectives and tasks within the Strategy should not be viewed as a one-time allocation of resources. Resourcing requirements should be revisited regularly based upon progress or shortfalls in the implementation of tasks or objectives of the Strategy.
The government may also consider the establishment of a central budget for cybersecurity, managed by a central cybersecurity governance mechanism. Whether assembling disparate funding sources into a coherent, integrated programme or creating a unified intra-governmental budget, the overall programme should be managed and tracked by milestones to ensure successful implementation of the Strategy.
5.1.6 Develop an implementation plan
The Strategy should be accompanied by, or reference, an implementation plan that outlines in greater detail how its strategic objectives will be achieved. Effective implementation plans identify the accountable entity responsible for each task and objective, the resources required to execute them over time (near-term, mid-term, long-term), the processes that will be used, and the outcomes that are expected (Section 3.4 on Initiating Implementation).
Further references available here.
5.2 Focus area 2 – Risk management in national cybersecurity
This focus area introduces good practices for addressing cybersecurity through risk management. As stipulated in the Principle of Risk Management and Resilience (Section 4.2), a risk-management approach should be adopted, as cyber-risks cannot be fully eliminated. Rather, ensuring that a country has a good understanding of the risks that it is exposed to allows it to manage these most effectively. In terms of assessing risk, the approach should focus on identifying inter-dependencies and also consider risks arising from dependencies across the national border. The risk-management approach should consider the whole lifecycle, from development or procurement to operation and replacement.
It is also important to note that, as cybersecurity threats are extremely dynamic and unpredictable, any risk-management approach should be reviewed regularly. As such, the Strategy should plan for monitoring and evaluation of risk- management activities to ensure continuous improvement.
5.2.1 Conduct a cyber threat assessment and align policies with the ever-expanding cyber threat landscape
The Strategy should identify and evaluate the evolving cyber threat environment and potential impact and consequences on critical infrastructures and essential services. The Strategy should first identify the country’s domestic critical infrastructures and services – those physical and cyber systems and assets that are vital to the proper functioning of society and economy, and whose incapacitation or destruction would have a debilitating impact of the physical or economic security or public health or safety of the country.
A cyber threat landscape assessment should be conducted to identify the specific cyber threats and risks associated with critical infrastructures and services, as well as the individuals who use and rely upon them, and to help prioritize resources to protect them. Such an assessment would also inform and help align cyber risk management strategies with the country’s crisis management plan. It can also help harness the necessary capabilities/capacities, people, funding, and strategies to strengthen the overall cybersecurity posture of the Nation.
5.2.2 Define a risk-management approach
The Strategy should define a coherent approach for risk management to be followed by all government entities and critical infrastructure operators identified domestically.
The approach should aim to build upon the cyber threat assessment and develop a national risk register, securely stored and communicated, to allow government oversight of risks and approaches taken to manage these. The approach should moreover develop a method of prioritisation based on a calculation of the probability of realising the risks and their impact. It should furthermore specify the responsibilities of key entities in each sector regarding the assessment, acceptance, and treatment of national-level cybersecurity risks.
5.2.3 Identify a common methodology for managing cybersecurity risk
The Strategy should identify a common methodology for managing cybersecurity risks. This will ensure efficiency and consistency across all organisations and facilitate the exchange of threat and risk information across inter-dependent systems. A methodology based on international standards should be favoured as it may reduce costs and yield better interaction with the private sector.
The methodology should provide guidance on assigning roles and responsibilities for various aspects of managing risk, such as assessing the threats, valuing assets, implementing and maintaining mitigating measures, and accepting the residual risk. The methodology should include a certification programme to help assess and eventually improve compliance.
Importantly, for the procurement and development of infrastructures or services, the risk-management methodology should provide guidance on minimising risk through secure architecture and design and regular assessments/audits, recognising that security is best achieved when it is an integral part of the design, development, and implementation process of a product, process, or service (security by design).
5.2.4 Develop sectoral cybersecurity risk profiles
The Strategy should call for the use of sectoral risk profiles for cybersecurity. A sectoral risk profile is a quantitative analysis of the types of threats faced. The goal of a risk profile is to provide a less-subjective understanding of risk by assigning numerical values to variables representing different types of threats and the danger they pose. The Strategy should recommend risk profiles to be developed for those sectors that the country considers most critical to its society and economy. (These sectoral risk profiles could be part of the cyber threat landscape assessment discussed in section 5.2.1)
The use of sectoral risk profiles provides a basis for more specific risk assessments for individual organisations, introduces coherence within and across all sectors nationally, and reduces the resources needed for organisational risk assessments. They should be regularly updated to ensure that they remain current.
5.2.5 Establish cybersecurity policies
The Strategy should encourage the establishment of cybersecurity policies for critical national entities, such as government authorities and critical infrastructures operators, among others. Such policies, adopted in accordance with the Principle of an Appropriate Set of Policy Instruments (Section 4.7), would cover governance, operational and technical requirements, and instruct stakeholders on their roles and responsibilities, as well as guide or mandate specific approaches to these issues.
For example, this could include policies that address cybersecurity in procurement or development, define information-sharing programmes, coordinate vulnerability disclosure, set minimum standards of care, specify security baselines, define certification programmes for compliance, and mandate the reporting of cybersecurity –incidents to the competent authorities.
A coordinated approach at the national level would lead to more efficient and effective cybersecurity management, as it would harmonise practices and facilitate coordination and interoperability.
Further references available here.
5.3 Focus area 3 – Preparedness and resilience
This focus area provides an overview of good practices that support the establishment and sustainability of effective national capabilities to prepare for, prevent, detect, mitigate and respond to major cybersecurity incidents, and to improve a country’s overall cyber-resilience.
5.3.1 Establish cyber-incident response capabilities
The Strategy should call for the establishment of an appropriate national incident response capabilities to address operational cybersecurity challenges. Often, this capability refers to the establishment of Computer Emergency Response Teams (CERTs), Computer Security Incident Response Teams (CSIRTs) or Computer Incident Response Teams (CIRTs) with national responsibility.
Although the specific organizational form of a CERT/CSIRT/CIRT may vary (e.g., national, government, sectoral, etc.), and not every country may have the same needs and resources, these specialised and dedicated teams should provide a set of both proactive and reactive functions, as well as preventive and educational services. Thus, these entities can increase a country’s ability to respond quickly and recover from cyberattacks, as well as improve its resilience against cyber-threats, reducing the possible overall economic and operational impact of nationally significant cyberattacks.
The areas of services that CERT/CSIRT/CIRT can offer include cyber-incident response and coordination, vulnerability management, situational awareness, knowledge transfer, and threat and intelligence information sharing. The Strategy may also encourage the establishment of PSIRT (Product Security Incident Response Teams) by private sectors to enhance their ability to handle ICT product vulnerabilities.
The Strategy should also identify and develop cooperation mechanisms and communication procedures between national and sectorial incident response teams (should they exist in the country), as well as with international counterparts.
5.3.2 Establish contingency plans for cybersecurity crisis management and disaster recovery
The Strategy should call for the development of a national contingency plan for cybersecurity emergencies and crises. The plan should be part of, or aligned with, the overall national contingency plan. A specific plan for critical information infrastructures should also be considered.
This national cybersecurity contingency plan should consider the findings from the national risk assessments and any cross-sector dependencies that could affect the continuity of operations of critical infrastructures, as well as any disaster recovery mechanisms. Moreover, it should provide an overview of the national incident response mechanisms; as well as highlight how cybersecurity incidents are categorised and escalated, based on their impact on critical assets and services.
5.3.3 Promote information-sharing
The Strategy should call for the establishment of information-sharing mechanisms to enable the exchange of actionable intelligence and threat information between and amongst the public and private sectors.
Formal and informal information-sharing programmes can help foster effective coordination and consistent, accurate and appropriate communications during incident response and recovery activities; facilitate rapid sharing of threat and intelligence information among affected parties and other stakeholders; help improve the understanding of how and which sectors have been targeted; disseminate information on the methods that can be used to defend and mitigate damage on the affected assets; and ultimately reduce vulnerabilities and exposure along with their attendant risks.
The Strategy should identify one or more institutional structures (i.e., competent authorities) responsible for transmitting accurate and actionable information among the national cybersecurity community, including the public and private sectors.
Information-sharing should be a two-way process. If governments are willing to share the information they retain, their actions will demonstrate to private sector entities that the government is indeed a partner in threat information sharing, and help ensure that responders are focused on and better prepared to respond to essential threats.
5.3.4 Conduct cybersecurity exercises
The Strategy should encourage the organisation and coordination of domestic and international cybersecurity and incident response exercises. These can follow different formats (e.g., simulations or real-time exercises) and target the technical and non-technical audiences.
Cybersecurity exercises and other crisis planning mechanisms can help countries develop the institutional capacity to perform incident response effectively, test crisis-management procedures and communication mechanisms, verify the operational ability of CERTs/CSIRTs/CIRTs to respond to cybersecurity incidents and service disruptions under pressure, and help understand any cross-sector dependencies.
Similarly, international cybersecurity exercises can help strengthen cyber-incident response capacity among countries, understand cross-border dependencies, build confidence and trust between countries, and improve the overall international resilience and preparedness levels.
5.3.5 Establish impact or severity assessment of cybersecurity incidents
The Strategy should encourage the establishment of impact or severity assessment mechanisms to assess and evaluate cybersecurity incidents based on their impact on critical assets, services, infrastructure, and people. This type of assessments aims to understand the larger context of a cyber-related incident, including its potential and actual impacts on different sectors and/or population groups and its cascading effects.
Such assessments should be conducted in consultation with a wide range of stakeholders in an open, inclusive, and transparent manner. The assessments should be integrated into the national disaster recovery and contingency plans, and the results should inform cyber incident response overall.
Further references available here.
5.4 Focus area 4 – Critical Infrastructure and essential services
This focus area investigates good practice relating to identifying and protecting Critical Infrastructures (CIs) and Critical Information Infrastructures (CIIs), and strengthening their resilience. The Strategy should recognise and promote the importance of advancing the security and continuity of CI and CII. The potential consequences of an incident impacting CI or CII can disrupt social order, the delivery of essential services, and the economic wellbeing of a country, and the Strategy should emphasize the importance of cyber risk management efforts intended to reduce the likelihood of such disruptive or destructive cyber incidents.
While there are no universally recognised definitions for the terms CI and CII, and governments need to consider which entities and services to include based on their own national risk assessment, for the purpose of this Guide, these terms are defined as follows:
- Critical Infrastructures (CI) are assets that are essential to the functioning and security of a society and economy in any given nation; and
- Critical Information Infrastructures (CII) are IT and ICT systems that operate key functions of the critical infrastructure of a nation.
Whereas the concept of essential services may be applied in reference to services that are essential for the maintenance of critical societal or economic activities.
In either case, a few non-exhaustive examples of these CI, CII or essential services include: energy (electricity, oil and gas), transportation (air, rail, water and road), finance and banking (credit institutions, trading venues and central counterparties), healthcare (healthcare organisations, including hospitals, private clinics, and research institutions), utilities (water and sanitation supply and distribution), digital and telecommunications (fixed and mobile telephone services and provision of internet infrastructure, such as internet exchange points (IXPs) and domain name service (DNS), among others). Definitions and designations may ultimately depend on the geopolitical, economic, and cultural characteristics of the national context.
5.4.1 Establish a risk-management approach to identifying and protecting critical infrastructure and essential services
The Strategy should address the importance of protecting CIs and CIIs from cyber-related risks and devising a comprehensive risk-management approach in accordance with the Principle of Risk Management and Resilience (Section 4.6).
A detailed risk assessment should guide the identification of national CIs and CIIs and essential services, whose disruption may have a serious impact on the health, safety, security, or economic well-being of citizens, or on the effective functioning of government or the economy. The Strategy should include or be accompanied by a specific list of CIs and/or CIIs and their correlation, which can be periodically reviewed and updated as necessary.
While there exist a variety of different methodologies to identify CI and CII, nations might consider applying sectorial or functional criteria, such as dependencies and interdependencies with other infrastructure, service, and scope of impact, and the relevance of the infrastructure for maintaining a minimum service supply level. In this designation and review process, the Strategy should envisage the early and ongoing involvement of all the relevant stakeholders including public authorities, semi-public, and/or private infrastructure operators.
Furthermore, a risk-based approach should be adopted to identify and prioritise the implementation of programmes, policies, and practices designed to protect and strengthen the security and resiliency of CIs and CIIs. These programmes and policies should be structured so that CI and CII meet a common baseline of security practices, while also maintaining a level of flexibility to be consistent with their own risk assessments and risk management priorities. In order to leverage existing best practices, enable domestic industry to integrate with global ICT supply chains, and avoid CI/CII interoperability issues across national borders, a risk-management approach
5.4.2 Adopt a governance model with clear responsibilities
The Strategy should at a high level describe the governance structure, roles, and responsibilities of the different stakeholders for CI and CII protection. As stipulated in the Principle of Clear Leadership, Roles and Resource Allocation (Section 4.8), an effective and efficient CI-protection programme requires that stakeholders have clearly defined roles and responsibilities and establish a coordination mechanism for managing ongoing issues.
CIs and CIIs are often not owned or controlled by the government, and CI and CII protection efforts generally exceed the capabilities and mandate of any single agency in a government. Thus, appointing an overall coordinator for CI and CII (cyber-)security, such as an interagency committee, can greatly assist in efforts to protect critical infrastructure.
The governance model for CI and CII protection should include the identification of government entities in charge of specific verticals, the responsibilities and accountability of operators of CIs and CIIs, as well as the communication channels and cooperation mechanisms between public and private agencies to ensure the operation and recovery of critical services and infrastructures.
The governance model should include mechanisms that ensure coordination and alignment across government entities with overlapping missions. The governance should also ensure that sectoral regulators create clear and consistent security requirements that avoid duplication of tasks and streamline important compliance efforts across both public and private sector entities.
5.4.3 Define minimum cybersecurity baselines
The Strategy should either highlight the existing or propose the development of new legislative and regulatory frameworks outlining minimum cybersecurity baselines for CI and CII operators, among others. Security baselines should address a range of high-level risk management priorities as well as more specific cybersecurity practices, such as identifying cyber risks and establishing risk management governance structures; protecting data and systems via access management protocols and other measures; monitoring digital environments and detecting potential anomalies or events; and responding to and recovering from incidents. When developing such baselines, internationally-recognised standards and best practices should be considered to ensure better security outcomes and greater efficiencies. Baselines that are relevant across sectors should be developed as a starting point, enabling greater interoperability and consistency of sector-specific practices and streamlined compliance for cross-sector functions.
The Strategy should also highlight that cybersecurity baselines should be outcome-focused to ensure greater agility over time as the risk landscape and technology continue to rapidly evolve. Articulating what organisations should aim to achieve (e.g., “control logical access to critical resources”), rather than how organisations should implement security (e.g., “utilise two-factor authentication”), can allow government and industry to benefit from continuous security improvements. In addition, an outcome-based approach to the development of these baselines can be complemented by sector-specific implementation or “how to” guidance, which provides options to inform and integrate enterprise practices.
In addition to addressing a range of high-level risk management priorities, cybersecurity baselines should also include procurement requirements to ensure that ICT suppliers have adequate and auditable security measure in place.
The Strategy should support the establishment of a resilient CI and CII national environment, and prepare stakeholders to respond, mitigate, and recover from potential cybersecurity incidents. The risk management approach should encourage the adoption of crisis management processes, business continuity measures, and recovery plans.
5.4.4 Utilise a wide range of market levers
The Strategy should consider a wide range of policies to ensure that all organisations and individuals are indeed incentivised to fulfil their individual cybersecurity responsibilities, commensurate with the risks they face, in accordance with the principle of comprehensive approach and tailored priorities (Section 4.2).
Identifying gaps between what the markets can and should drive and what the risk environment requires is a crucial step towards determining when and how to leverage the range of incentives and disincentives available to improve security. To encourage the uptake of cybersecurity standards and practices across CIs and CIIs, the Strategy should indicate that the government will consider a range of policy options and market levers at its disposal.
5.4.5 Establish public private partnerships
The Strategy should encourage the creation of formal public-private partnerships to increase the security of CIs and CIIs. Public-private partnerships are a cornerstone of effectively protecting critical infrastructure and managing security risks in both the short- and long-term. They are essential for boosting trust amongst and between industry and the government.
However, establishing sustainable partnerships requires that all of the participating stakeholders have a clear understanding of the goals of the partnership and the mutual security benefits that stem from working together. Some of the areas could include: developing cross-sector and sector-specific cybersecurity baselines, establishing effective coordinating structures and information-sharing processes and protocols, building trust, identifying and exchanging ideas, approaches and best practices for improving security, as well as improving international coordination.
Further references available here.
5.5 Focus area 5 – Capability and capacity building and awareness raising
Technology and policy considerations can dominate cybersecurity discussions, overlooking the fundamental human element at its core. This Focus Area addresses the challenges related to advancing cybersecurity capacity building (both human and institutional) and awareness raising among stakeholders, including government entities, citizens, businesses, and other organisations – crucial to enabling a country’s digital economy.
Good practices considered in this section include the coordination of capacity building activities, the establishment of dedicated cybersecurity curricula and awareness raising programmes, expansion of training schemes and workforce-development programmes, adoption of international certification schemes, and promotion of innovation and research and development (R&D) clusters.
5.5.1 Strategically plan capability and capacity building and awareness raising
The Strategy should assign clear roles and responsibilities to entities tasked with the coordination of capacity building and awareness raising activities at the national level to ensure resources are streamlined, efforts are not duplicated, and accountability is established. The appointed national authorities should also be responsible for monitoring the implementation and evaluating the outcomes of these activities, as well as recommending changes if necessary.
Cybersecurity capability and capacity building and awareness raising should be evidence-based and strategically planned. A detailed assessment of the national cybersecurity landscape and current capacity building initiatives should guide the identification of existing gaps in capacity needs, skills, and awareness and inform forward-looking solutions. Given differences within and among countries and regions, there is no one-size-fits-all approach to cybersecurity capability and capacity building, so the information gathered should be used to design approaches tailored to the specific political, economic, and social context. The responsible authorities might also produce an action plan that includes budget allocations, timelines, and metrics to monitor the progress of each of these planned actions.
5.5.2 Develop cybersecurity curricula
The Strategy should facilitate the development or expansion of dedicated school curricula aimed at accelerating cybersecurity skills development and awareness throughout the formal education system. Curricula should be inter/multi-disciplinary and cover not only technical but also non-technical cybersecurity skills and topics, such as digital literacy, public policy, law, governance, economics, risk management, ethics, social sciences, and international relations. Dedicated cybersecurity curricula should be developed across primary and secondary schools, integrating cybersecurity courses in all computer science and IT programmes in higher education, and creating dedicated cybersecurity degrees and apprenticeships.
Given the multi-disciplinary nature of cybersecurity education, universities, colleges, and other educational institutions should be encouraged to work across departments and with other academic partners to optimize resources and efforts when developing or updating their programmes. These institutions can play a critical role in educating civilian and military workforces on the unique tenets of cybersecurity and can serve as incubators for future workforce, bringing together theory with methodology, tools, and implementation, and optimizing campus-wide resources to combine knowledge, intellectual capacity, and practical skills.
Additionally, the curricula should foster awareness of and stimulate interest in cybersecurity career opportunities. To further the efforts in this space, the government should also consider establishing various incentive schemes, such as scholarships for private education programmes and grants for relevant apprenticeships.
5.5.3 Stimulate capacity development and workforce training
The Strategy should encourage the development of cybersecurity training and skills development schemes for experts and non-experts in both public and private sectors. The effort could include the provision of executive and operational training, formal internships and traineeships, and (national and international) certification of security professionals, based on the needs identified by industry and government. The Strategy should also encourage specific training for national-level actors involved in domestic and foreign policy, including regulators and legislators. Trainings should be complemented with initiatives focused on cyber risk management, and with practical exercises within and among government entities and other stakeholders such as drills and simulations.
The Strategy should also foster initiatives that aim to develop dedicated cybersecurity career paths and an effective pipeline of future employees, in particular for the public sector, and promote incentives to increase the supply of qualified cybersecurity professionals and help retain talent. These should be created in partnership with academia, the private sector, and civil society. To address the ongoing gender gap of experts in cybersecurity, a gender-balanced approach that motivates, encourages, and facilitates more engagement from women should be considered across all efforts aimed at skills-development and training, ensuring inclusivity in the future.
5.5.4 Implement a coordinated cybersecurity awareness-raising programme
The entities responsible for cybersecurity awareness campaigns and activities at the national level should collaborate with relevant stakeholders to develop and implement cybersecurity awareness programmes focusing on disseminating information about cybersecurity risks and threats, as well as about best practices for countering them.
A cybersecurity awareness-raising programme could include awareness-raising campaigns aimed at the general public, children, digitally challenged, consumer- focused education programmes, and awareness-raising initiatives among others, targeted at executives across public and private sectors. Awareness programmes should include relevant KPIs and metrics for measuring impact and effectiveness.
5.5.5 Foster cybersecurity innovation and R&D
The Strategy should foster an environment that stimulates basic and applied research in cybersecurity across sectors and various stakeholder groups. Such initiatives include, for example, ensuring that national research efforts support the objectives of the National Cybersecurity Strategy; developing cybersecurity-focused R&D programmes in public research organisations; effective development and dissemination of new findings, baseline technologies, techniques, processes, and tools. The strategy should also envisage developing an efficient and sufficient local market of cybersecurity services.
Moreover, as part of the Strategy, countries should also seek to establish ties with the international research community in the scientific fields related to cybersecurity, such as computer science, electrical engineering, applied mathematics and cryptography, but also non-technical fields such as social and political sciences, business and management studies, criminology and psychology to name a few.
The Strategy should look at incentive mechanisms available from grants, procurements, tax credits, competitions, and other initiatives that encourage the development of innovative cybersecurity solutions, products, and services.
5.5.6 Tailor programmes for vulnerable sectors and groups
The Strategy should identify those groups of society which require particular attention when it comes to cybersecurity capacity and capability building and awareness raising. These include groups which have been identified as being particularly at risk or which need to be empowered to protect themselves, such as small and medium enterprises (SMEs), community-based organizations (CBOs), underserved communities, and/or low-income communities.
Further references available here.
5.6 Focus area 6 – Legislation and regulation
This focus area covers the development of a legal and regulatory framework to protect society against cybercrime and promote a safe and secure cyber environment, in accordance with the Principles of Inclusiveness, Fundamental Human Rights, and on Trust Environment (Sections 4.3, 4.5 and 4.9, respectively). Such a framework should include: the adoption of legislation that defines what constitutes illegal cyber-activity, as well as the procedural tools that are needed to investigate and prosecute these crimes at the national level and for cooperating cross-border; establishment of compliance mechanisms; the building of capacity to enforce the framework; institutionalization of critical entities; and international cooperation to fight cybercrime. The framework should recognize and be consistent with the country’s obligations under international, regional, and national human rights law.
Cybersecurity, cybercrime, and protection of personal data are interrelated concepts. Countries should establish a legal and regulatory framework which covers these three areas in a holistic and coherent way.
The Strategy should inform and guide the development of legislation so that roles and responsibilities of actors involved in applying the law are clear and well-defined, while ensuring compliance with existing legal principles and provisions. The Strategy should map the existing legal and regulatory framework, including operational aspects, and identify areas where new or revised legislation and regulation is required.
5.6.1 Establish a domestic legal framework for cybersecurity
The Strategy should encourage the development of domestic cybersecurity and data protection legal frameworks, which refer to actions relevant to the prevention, monitoring, and handling of cyber-related incidents, and any other action that public and private entities should undertake to foster a secure and resilient national cyberspace.
In the current absence of an international legal instrument defining the aspects of cybersecurity regulations, the country will have to rely on regional and/or national best practices for establishing its domestic legal frameworks for cybersecurity. The Strategy should build upon current acts and regulations tackling such aspects, if any, and establish, update, and reform the legal framework for cybersecurity, including but not limited to: information security rules and their applicability to the security of information systems; identification of national critical information infrastructure; establishment of national and sectoral agencies dealing with cybersecurity aspects (i.e., national cybersecurity agencies, national and sectoral CERTs/CSIRT/CIRT); certification of cybersecurity organisations, processes, products, and policies; national/state security rules applicable to security of cyberspace; and other relevant matters.
Further, the Strategy should provide guidance on how to deal with common regulatory approaches that concern both cybersecurity and cybercrime (for example, cross-sectoral exchange of information and intelligence sharing mechanisms, reporting and criminal justice statistics, joint response and public-private cooperation, among others).
5.6.2 Establish a domestic legal framework on cybercrime and electronic evidence
The Strategy should promote the development of a domestic legal framework that clearly defines what constitutes cybercrime and related criminal offences, and that provides adequate procedural powers for effective investigation and prosecution, as well as adjudication of related cases on the basis of admissible electronic evidence.
Most often, this capability takes the form of cybercrime legislation, which can be achieved by enacting specific new laws or amending existing ones (e.g., the penal code, laws regulating banking, telecommunications and other sectors). These laws should specify: substantive criminal offences (offences against or by means of computer systems or data); procedural means to collect electronic evidence (ranging from preservation of integrity of data to search and seizure, and from production order to real-time interception of content data); and tools for expedited and effective international cooperation in such cases. In order to establish clear and enforceable cybercrime legislation across borders, countries should try to harmonize their domestic legal framework with existing international and regional legal instruments on this matter.
The Strategy should provide guidance also to operational aspects of cybercrime investigation and prosecution (e.g., establishment of specialized units, proper digital forensics capacities, standard operating procedures, crime reporting, etc.) that may not be set at the level of primary legislation but could be nevertheless provided as secondary regulations, guidelines, or best practices.
The Strategy should also encourage the creation of a process to monitor the implementation and review of legislation and governance mechanisms, identify gaps and overlapping authorities, and clarify and prioritise areas that require modernisation (e.g., existing laws such as old telecommunication laws).
5.6.3 Recognise and safeguard human rights and liberties
The Strategy should promote the development of domestic legal frameworks on cybersecurity, cybercrime and other related areas that respect and protect human rights. In doing so, the differences of context between cybersecurity (technical aspects of security) and cybercrime (criminal justice response) should be properly highlighted and considered.
The Strategy should pay particular attention to technology-related legal issues that can affect the level of cybersecurity and which have impacts on human rights (e.g. encryption, anonymity vulnerability disclosure, ethical hacking and others). In doing so, the Strategy should promote approaches that are consistent with individuals’ human rights.
In terms of cybercrime and criminal justice matters overall, the Strategy should safeguard essential due process rights applicable in criminal investigations and prosecutions, as well as rights of privacy and personal data protection, and freedom of expression, in accordance with the Principle of Fundamental Human Rights and Trust (Sections 4.5 and 4.9).
The strategy should also ensure that the rights of those who are victims of – or at risk from – cyber incidents and cybercrime are sufficiently taken into consideration and protected.
5.6.4 Create compliance mechanisms
The Strategy should promote the establishment of domestic compliance mechanisms (both enforcement and incentives). These mechanisms should be set in place to prevent, combat, and mitigate actions directed against the confidentiality, integrity, and availability of ICT systems and infrastructures, and threatening computer data, in accordance with the aforementioned legal framework. They should inter alia cover the particularities of response to cyber incidents, criminal investigations, specialized procedures (such as lawful interception of communications), and use of electronic evidence.
5.6.5 Promote capacity-building for law enforcement
The Strategy should encourage the development of cyber-law-enforcement capacity, including training and education for a range of stakeholders involved in combating cybercrime (e.g., judges, prosecutors, lawyers, law-enforcement officials, forensic specialists, financial investigators, and others). Law enforcement should receive specialised training to interpret and apply domestic cybercrime laws (i.e., translate the law into technical notions and vice versa); to effectively detect, deter, investigate and prosecute cybercrime offenses while respecting human rights; and to effectively collaborate with industry and international law-enforcement entities (e.g., INTERPOL, Europol) to tackle cybercrime and to boost cybersecurity. Such training and education should be continuous and cover all relevant criminal justice and security professionals, and should be kept continuously up-to-date with current cyber-related challenges and threats. This element should take into consideration focus area 5 on Capability and Capacity Building and Awareness Raising (Section 5.5).
5.6.6 Establish inter-organisational processes
The Strategy should identify and recognise the mandates of domestic agencies with the primary authority to ensure compliance with cybercrime legislation (primarily criminal justice authorities and forensic services), those responsible for prevention of and response to cyber incidents that raise to the national level (including protection of critical information infrastructures), and those responsible for ensuring that all international cybercrime requirements are being met (e.g., ensure that national laws comply with international treaty obligations) and across judicial lines (e.g., cross-border cooperation) (see also Section 5.1.3 and 5.1.4; and Section 5.6.6).
5.6.7 Support international cooperation to combat cyber threats and cybercrime
The Strategy should demonstrate a commitment to protect society against cybercrime globally, through ratification, where possible and in accordance with the overall national agenda, of international cybercrime agreements or equivalent agreements to fight cybercrime, and through the promotion of coordination mechanisms to address international cybercrime. This may include aligning national laws with international treaty obligations and bilateral agreements, for example by establishing mutual legal assistance, enabling cross-border investigations and prosecutions, handling of digital evidence, and extradition.
Also, the Strategy should recognize the importance of building informal mechanisms that enable trusted cooperation and cross-border exchange of information, intelligence, and technical support between cybersecurity actors in both public and private sector.
In particular, international law enforcement cooperation plays a vital role in combating cybercrime through the exchange of information, cross-border investigations, operations, and arrests. For example, INTERPOL provides a secure global police communications system for countries to facilitate police-to-police requests and formal mutual legal assistance requests from one central authority to another. These channels can assist in the investigation and prosecution of cybercrime beyond a nation’s borders. Law enforcement cooperation can also help improve cross-jurisdictional interoperability and ensure timely and coordinated joint police actions. Other organizations like AFRIPOL, AMERIPOL, ASEANAPOL, GCCPOL, ECOPOL, and Europol are likewise fostering law enforcement cooperation at the regional level.
These elements should take into consideration focus area 7 on international cooperation (Section 5.7).
Further references available here.
5.7 Focus area 7 – International cooperation
This focus area emphasises the elements that the Strategy should cover in terms of external cybersecurity engagements of a particular country, both at regional and international levels. With digitalisation impacting all areas of international relations, such as human rights; economic and social development; trade negotiations; commerce relations; arms control; the use of new and disruptive technologies; security of supply chains; and security, stability, peace, and conflict resolution, cybersecurity has become an integral part of a country’s foreign policy.
The Strategy should therefore recognise the borderless nature and international dimension of cybersecurity, and highlight the need to engage in international discussions and cooperate with both national and international stakeholders, as well as civil society, industry, and non-governmental organizations. International engagements with public and private stakeholders are key to facilitating a constructive dialogue, developing trust and cooperation mechanisms, finding mutually acceptable solutions and addressing common challenges, and creating a global understanding of the importance of cybersecurity and resilience.
In accordance with the principle of comprehensive approach and tailored priorities (Section 4.2), regional and international cooperation should be fostered in harmony with the political, social, cultural, and economic layout of the country. The country’s cybersecurity priorities should inform and be aligned with its foreign policy’s goals and vice versa.
5.7.1 Recognise cybersecurity as a component of foreign policy and align domestic and international efforts
The Strategy should express a commitment to international cooperation on cybersecurity and recognise cyber-issues as an integral component of the country’s foreign policy across all relevant areas, including international cyber stability and trade negotiation.
The Strategy should clearly articulate the government’s focus areas and indicate long-term objectives for international cooperation, including which stakeholders (e.g., public, private, regional, global) would be engaged. Such focus areas might include, for instance, support for the establishment of international cybersecurity norms and confidence-building measures (CBMs), commitment to cybersecurity capacity-building (CCB), participation in the development of international cybersecurity standards, as well as joining existing regional and international processes.
Moreover, the Strategy should ensure consistency between the country’s domestic and foreign-policy agendas by harmonising its national legal framework and policies with its international commitments, and aligning its national cybersecurity approaches with its international efforts. This may also require harmonisation among different governmental entities (e.g., head of state and cabinet, Ministry of Foreign Affairs, Ministry of ICT, Ministry of Industry and Trade, Ministry of Justice, Ministry of Defence, etc.) so that the policy position expressed by one domestic entity at a negotiating table in the international arena is properly coordinated and aligned with other governmental bodies.
5.7.2 Engage in international discussions and commit to implementation
The Strategy should identify specific international fora and cooperation mechanisms that the country wishes to join or cooperate with to effectively engage internationally on cyber-related issues. These could include regional or global organisations, standardisation bodies, intergovernmental or multistakeholder discussions, public and/or private-sector alliances, as well as established traditional cooperation and collaboration mechanisms that have a cyber or digital component.
The Strategy should specify the country’s commitment to the application of international law, including the Charter of the United Nations and international human rights law. It could also outline a national commitment to join and implement existing regional and international instruments to combat cybercrime and other cyber threats (e.g., the Council of Europe’s Budapest Convention on Cybercrime, the African Union’s Convention on Cybersecurity, the Arab Convention on Combating Information Technology Offences, the ECOWAS Directive on fighting cybercrime, etc.). The Strategy should recognize that many international trade agreements also have a digital or cyber component (e.g., the Wassenaar Arrangement governs dual-use technologies, and the United States-Mexico-Canada Agreement (USMCA) and the Regional Comprehensive Economic Partnership (RCEP) among Asia-Pacific nations govern cross-border data flows).
The Strategy should also encourage the country’s commitment to the furtherance of voluntary norms of responsible State behaviour in cyberspace and of CBMs in cyberspace. Notable examples of international efforts and fora for the elaboration of such norms and CBMs include the UN Open-ended Working Group on security of and in the use of information and communications technologies (OEWG), the Organisation of Security and Cooperation in Europe (OSCE) on confidence building measures and international norms applicable in cyberspace, the work of the G7 Group’s High-Tech Crime Subgroup, as well as other regional initiatives and multistakeholder efforts (e.g., Paris Call, industry initiatives, etc.). It is important to prioritise international engagement efforts, allocate adequate resources (personnel and money), and define adequate mandates to ensure that they deliver concrete results.
The Strategy should also express the commitment to the implementation of the agreed norms of voluntary State behaviour in cyberspace such as the ones proposed by the UN Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security in its 2015 report, and further developed by the GGE on Advancing responsible State behaviour in cyberspace in the context of international security, which concluded its work in May 2021.
5.7.3 Promote formal and informal cooperation in cyberspace
The Strategy should indicate the operational (both public and private sector) international cooperation mechanisms that the country wishes to commit to. The country may wish to engage in formal and informal international endeavors advancing cooperation on policy and legislative development, law enforcement (e.g., INTERPOL, EUROPOL, WIPO), incident response, information- and threat-sharing (e.g., FIRST, ISACs), among others. Participation in such initiatives could support better cooperation and exchange of timely and actionable information between relevant authorities on potential threats and vulnerabilities and coordination in defense and response mechanisms.
Cross-border information exchanges with private sector organizations and industry dealing with cybersecurity threats (anti-virus companies, threat intelligence community, global social media providers and other relevant actors) should be considered an important component of international cooperation efforts as well.
5.7.4 Promote capacity building for international cooperation
As the country begins to undertake international engagements, these will likely require the government to develop additional competencies and skills focused on cyber-issues and increase its overall capacity to address an ever-increasing range of cyber issues, including international cyber stability, data protection and privacy, trade, commerce, arms control, the use of new and disruptive technologies, security of supply, and other digital matters.
In order to effectively engage in international discussions and cooperation, it is important to encourage the development and use of competencies and skills focused on cyber-issues (including cyber-diplomacy and trade negotiations) to complement the traditional methods and processes of diplomacy and trade. The Strategy may also include the development of specific organisational structures and the establishment of some dedicated office or trained personnel whose primary focus is diplomatic engagement on cyber-issues relating to trade, diplomacy, and international law.
Other priority areas for capacity building may include CERT/CSIRT cooperation, law enforcement and judicial cooperation, applicable public international law, voluntary norms of responsible State behaviour, etc. Various international capacity building programmes are available to support such efforts (e.g., GLACY+, Global Forum on Cyber Expertise (GFCE), INTERPOL, etc.). For instance, law enforcement capacity building efforts can help local and national law enforcement agencies enhance their skills, knowledge, and technical capabilities to leverage high-tech tools and systems for cross-border cybercrime prevention, detection, investigation, and prosecution. They can also allow law enforcement to keep abreast of cybercrime trends and ever-evolving threat landscape to stay ahead of crime.
The Strategy should consider existing regional and international cybersecurity initiatives and foster harmonisation and alignment. This would allow the country to leverage existing good practices, as well as to contribute towards cohesion and convergence of cybersecurity approaches.
The Strategy should encourage peer-learning and the transfer of cybersecurity knowledge and skills with international partners. Furthermore, participation in international events and cybersecurity exercises can provide both means for cybersecurity capacity building and for building trust and fostering international cooperation.
Further references available here.