This Section presents nine cross-cutting principles, which taken together can help in the development of a forward-looking and holistic National Cybersecurity Strategy.
These principles are applicable to all key focus areas identified in this document. They should be considered in all steps of a National Strategy development process, from the drafting of the National Strategy document to its implementation.
The order of these principles reflects a logical narrative rather than an order of importance.
4.1 Vision
The Strategy should set a clear whole-of-government and whole-of-society vision.
A Strategy is more likely to be successful when it sets a vision that helps all stakeholders understand what is at stake and why the Strategy is needed (context), what is to be accomplished (objectives), as well as what it is about and who it impacts (scope).
The clearer the vision, the easier it will be for leaders and key stakeholders to ensure a more comprehensive, consistent, and coherent approach. A clear vision also facilitates coordination, co-operation, and implementation of the Strategy amongst the relevant stakeholders. It should be formulated at a sufficiently high level and consider the dynamic nature of the digital environment.
The objectives and implementation timeline of the Strategy should be aligned with this vision.
Further references available here.
4.2 Comprehensive approach and tailored priorities
The Strategy should result from an all-encompassing understanding and analysis of the overall digital environment, yet be tailored to the country’s circumstances and priorities.
Cybersecurity is not only a technical challenge but a complex multi-faceted issue, with aspects extending beyond economic and social prosperity into areas such as law enforcement, national and international security, international relations, trade negotiations, and sustainable development.
It is important to understand all the aspects of cybersecurity and how they interrelate, potentially complementing or competing with each other. Based on this understanding and an analysis of the country’s specific context, priorities can then be defined in line with the objectives and implementation timeline of the Strategy. Priorities will allow for setting up specific objectives and timelines and to allocate the necessary resources.
The priorities included in a National Cybersecurity Strategy will vary by country. Some of the cybersecurity topics can be addressed in the same or in separate strategic documents (e.g., digital aspects of national security and defence can be addressed within a national security or defence strategy).
Further references available here.
4.3 Inclusiveness
The Strategy should be developed with the active participation of all the relevant stakeholders, and it should address their needs and responsibilities.
The digital environment has become critical to governments, organisations, and individuals. These groups face cybersecurity risks and share a level of responsibility in managing them, depending on their role. For this reason, it is advisable for governments to establish partnerships and collaboration mechanisms to include the private sector and civil society in cyber strategy negotiations and implementation.
While it may be a difficult task, identifying and meaningfully engaging all the relevant stakeholders is essential to the development and successful implementation of a National Cybersecurity Strategy. This will help understand stakeholder needs and their unique knowledge and expertise, thus facilitating cooperation towards achieving the objectives of the Strategy.
To foster inclusiveness and transparency, the Strategy should be a public document.
Further references available here.
4.4 Economic and social prosperity
The Strategy should foster economic and social prosperity and maximise the contribution of ICT to sustainable development and social inclusiveness.
The digital environment has the potential to expedite economic growth and social progress, to advance key societal values, to improve public-service delivery and capacity, to facilitate international trade, and to promote good governance.
The increasing reliance on the digital environment for the functioning of societies demands increased attention on cybersecurity. However, cybersecurity is not a goal in itself; the Strategy should be aligned with the country’s broader socio-economic objectives and lead to building the trust and confidence necessary to both help realise these objectives as well as protect the country from cyber-threats.
Further references available here.
4.5 Fundamental human rights
The Strategy should respect and be consistent with fundamental human rights.
The Strategy should recognise the fact that rights that people have offline must also be protected online. It should respect universally agreed fundamental human rights, including, but not limited to, the ones found in the United Nations’ Universal Declaration of Human Rights and International Covenant on Civil and Political Rights, as well as relevant multilateral or regional legal frameworks.
Attention should be paid to freedom of expression, privacy of communications, and personal data protection. In particular, the Strategy should avoid facilitating the practice of arbitrary, unjustified or otherwise unlawful surveillance, interception of communications, or processing of personal data.
In ensuring that the State is able to take action to meet its legitimate interests while still respecting individuals’ human rights, the Strategy should ensure that, where applicable, surveillance, interception of communications, and collection of data are conducted within the context of a specific investigation or legal case, authorised by the relevant national authority and on the basis of a public, precise, comprehensive, and non-discriminatory legal framework enabling effective oversight, procedural safeguards, and remedies.
Further references available here.
4.6 Risk management and resilience
The Strategy should enable an efficient management of cybersecurity risks and drive the resilience of the economic and social activities.
While the digital environment provides stakeholders with economic and social opportunities, it also exposes them to cybersecurity risk. For example, when organisations use ICT to foster innovation, gain productivity, and improve competitiveness, or when governments deploy their services online, cybersecurity incidents can occur, potentially resulting in financial loss, reputational damage, disruption of operations, physical impacts, undermining of innovation, etc. As with other types of risk, cybersecurity risk cannot be entirely eliminated but they can be managed and minimised.
To address that challenge, the Strategy should encourage entities to prioritise their cybersecurity investments and to proactively manage risk. Depending on an entity’s risk appetite, a balance has to be maintained between security measures and potential benefits, considering the dynamic nature of the digital environment. The Strategy should also recognise the need for continuous risk management and facilitate a coherent approach across interdependent entities.
The focus on risk management will also prepare stakeholders for potential security incidents and compromises, ensuring the resilience of economic and societal activity in the country. With that in mind, the Strategy should encourage the adoption of business-continuity and disaster recovery measures, which include incident and crisis management, as well as recovery plans.
Further references available here.
4.7 Appropriate set of policy instruments
The Strategy should utilise the most appropriate policy instruments available to realise each of its objectives, considering the country’s specific circumstances.
The government’s cybersecurity goals will only be achieved if a change in behaviour occurs across all stakeholders involved. In most cases, governments have different levers and policy instruments at their disposal to achieve that outcome. These include legislation, regulation, standardisation, certifications, incentives, information-sharing programmes and mechanisms, education programmes, sharing best-practice, setting expected norms of behaviour, and building communities of trust among others. Each of these has its own strengths and weaknesses, comes at differing cost, and brings different results.
The best results can be achieved by selecting the most appropriate policy instrument for each individual objective and balancing the use of different tools.
Further references available here.
4.8 Clear leadership, roles, and resource allocation
The Strategy should be set at the highest level of the government, which will then be responsible for assigning relevant roles and responsibilities and allocating sufficient human and financial resources.
Cybersecurity should be promoted and sustained at the highest levels of government. Moreover, to ensure accountability and progress, focal points of individual work streams need to be identified, and all parties involved should have a clear understanding of their respective roles and responsibilities.
The Strategy should also allocate the human, financial, and material resources necessary for its implementation. This principle needs to guide both the Strategy development process and the elaboration of the action plan for the Strategy.
Further references available here.
4.9 Trust environment
The Strategy should help build a digital environment that citizens and organisations can trust.
Building trust in the national digital ecosystem, in which users’ rights and interests are protected and security of data and systems is assured, is essential to realise the full potential of the social, political, and economic opportunities offered by the use of ICTs. The Strategy must enable policies, processes, and actions at the national level in order to render secure critical services (including e-governance, e-commerce, digital financial transactions, tele-medicine, among others) supported by ICTs and utilised by citizens. Such course of actions would inculcate the principle of trust not only among the general population but also within those public and private organisations that will offer their ICT-related services to citizens.
Further references available here.