Since its creation, Information and Communication Technology has evolved to become the backbone of modern business, critical services and infrastructure, social networks, and the global economy as a whole.
As a result, national leaders have started to launch digital strategies and to fund projects that increase Internet connectivity and leverage the benefits stemming from the use of ICTs, to stimulate economic growth, to increase productivity and efficiency, to improve service delivery and capacity, to provide access to business and information, to enable e-learning, to enhance workforce skills and to promote good governance. Countries cannot ignore the opportunities associated with becoming connected and participating in the Internet economy.
While the reliance of our societies on the digital infrastructure is growing, technology remains inherently vulnerable. The confidentiality, integrity and availability of ICT infrastructure are challenged by rapidly evolving risks, including electronic fraud, theft of intellectual property and personal identifiable information, disruption of service, and damage or destruction of property. The transformational power of ICTs and the Internet as catalysts for economic growth and social development are at a critical point where citizens’ and national trust and confidence in the use of ICTs are being eroded by cyber-insecurity.
To fully realise the potential of technology, states must align their national economic visions with their national security priorities. If the security risks associated with the proliferation of ICT-enabled infrastructure and Internet applications are not appropriately balanced with comprehensive national cybersecurity strategies and resilience plans, countries will be unable to achieve the economic growth and the national security goals they are seeking.
In response, nations are developing both offensive and defensive capabilities to defend themselves from illicit and illegal activities in cyberspace and to pre-empt incidents before they can cause harm to their nations. This document will look specifically at defensive responses, particularly in the form of national cybersecurity strategies.
2.1 What is cybersecurity
Several national and international definitions of the term “cybersecurity” exist. For the purpose of this document, the term “cybersecurity” is meant to describe the collection of tools, policies, guidelines, risk management approaches, actions, trainings, best practices, assurance, and technologies that can be used to protect the availability, integrity, and confidentiality of assets in the connected infrastructures pertaining to government, private organisations, and citizens; these assets include connected computing devices, personnel, infrastructure, applications, digital services, telecommunications systems, and data in the digital-environment.
2.2 Benefits of a National Cybersecurity Strategy and strategy development process
National cybersecurity strategies can take many forms and can go into varying levels of detail, depending on the particular country’s objectives and levels of cyber-readiness. Therefore, there is no established and commonly agreed definition of what constitutes a National Cybersecurity Strategy.
Relying on existing research in this area, this document encourages stakeholders to think of a National Cybersecurity Strategy as:
- an expression of the vision, high-level objectives, principles and priorities that guide a country in addressing cybersecurity;
- an overview of the stakeholders tasked with improving cybersecurity of the nation and their respective roles and responsibilities; and;
- a description of the steps, programmes and initiatives that a country will undertake to protect its national cyber-infrastructure and, in the process, increase its security and resilience.
Setting the vision, objectives, and priorities upfront enables governments to look at cybersecurity holistically across their national digital ecosystem, instead of at a particular sector, objective, or in response to a specific risk – it allows them to be strategic. Priorities for national cybersecurity strategies vary by country, so while the focus for one country may be addressing critical infrastructure-related risks, for others it may be protecting intellectual property, promoting trust in the online environment, or improving cybersecurity awareness of the general public or a combination of these issues.
The need to identify and subsequently prioritise investments and resources is critical to successfully managing risks in an area as all-encompassing as cybersecurity.
A National Cybersecurity Strategy also provides the opportunity to align cybersecurity priorities with other ICT-related objectives. Cybersecurity is central to achieving socio-economic objectives of modern economies and the Strategy should reflect how those are supported. This can be done by referencing existing policies that seek to implement a country’s digital or developmental agendas or by assessing how cybersecurity can be incorporated into them.
Finally, a National Cybersecurity Strategy development process should translate a government’s vision into coherent and implementable policies that will help it achieve its objectives. This includes not only the steps, programmes and initiatives that should be put in place, but also the resources allocated for those efforts and how these resources should be used. Similarly, the process should identify the metrics that will be used to help ensure that desired outcomes are achieved within set budgets and timelines.