❖ Information and Communication Technologies (ICTs) are the catalysts for economic and social transformation. However, the economy and society are becoming more vulnerable to cyberthreats and cyberattacks.
❖ To fully realise the promises of ICTS, the national government needs to develop and implement cybersecurity strategy. Here are five suggested steps: initiation, situational analysis and risk assessment, strategy drafting, implementation plan, and monitoring and evaluation plan.
❖ International norms for cyberspace need to be implemented at a national level. Policymakers must therefore keep the goals of international norms in mind when developing their national cybersecurity strategy and associated policies.
Undoubtedly, Information and Communication Technologies (ICTs) have significantly transformed the way we work and live. The internet, for example, has become the foundation of modern business, vital services and infrastructure, social networks and the global economy as a whole.
Our economies get more and more dependent on digital infrastructure, but technology remains inherently vulnerable. The confidentiality, integrity and availability of ICT infrastructure are being threatened by rapidly evolving cyberthreats, including electronic fraud, theft of intellectual property and personal identifiable information, disruption of services, and loss or destruction of property.
The transformational potential of ICTs and the Internet as a catalyst for economic growth and social development is at a critical juncture where national confidence and faith in the use of ICTs are being eroded by cyber insecurity.
To fully realize the promises of technology, governments must match their national economic goals with their national security objectives. If the security risks associated with the proliferation of ICT-enabled networks and internet technologies are not properly balanced with robust national cyber security policies and resilience measures, countries will neither be able to achieve economic growth nor meet their national security goals.
That is why developing and implementing a National Cybersecurity Strategy is critical for a nation to improve the security of its digital infrastructure, which will ultimately contribute to its broader socio-economic aspirations. This paper aims to provide important steps that a country can follow in order to draft an effective national cybersecurity strategy.
The benefits of developing a national cybersecurity strategy
A national cybersecurity strategy is a plan of actions designed to improve the security and resilience of national infrastructures and services. It is a high-level top-down approach to cybersecurity, which establishes a range of national objectives and priorities that should be achieved in a specific timeframe.
Such a strategy is vital for managing national-level cybersecurity risks and for developing appropriate regulations to support those efforts. Developing vision, goals and priorities allows policymakers to look at cyber security in a holistic way through a national digital ecosystem, rather than at a specific sector, goal, or threat. Thus, it enables them to be dynamically strategic. Priorities for national cybersecurity policies vary by countries. Therefore, while the priority of one country may be on mitigating critical infrastructure threats, others may focus on defending intellectual property, cultivating confidence in the online environment, or improving public understanding of cyber security. Others may focus on a mixture of these things.
Having a strong national cybersecurity strategy also helps to promote private sector growth and create a more competitive business environment. E-commerce, for example, will grow due to a more secure digital environment, which will in turn allow more competition bringing huge benefits to the consumers. Such a strategy also plays a critical role in drawing foreign investment. With the prevalence of intellectual property on the on-line domain today, businesses want to ensure that they will be able to protect their assets if they come under any attack.
Steps to develop a national cybersecurity strategy
This section outlines five recommended phases to develop an effective national cybersecurity strategy.
Phase 1: Initiation
The initiation phase provides the foundation for an efficient strategy drafting process. This step focuses on the procedures, timelines and identification of key stakeholders that should be involved in the development of the strategy.
Selecting a champion is a critical first step in this phase. The strategy development process should be coordinated by a single, competent authority which will then appoint an individual to be responsible and accountable for leading the overall project. If no such authority exists, consider setting up a national cybersecurity agency. The agency should be supported by a steering committee whose main role is to provide guidance and ensure the quality of the work. Details about the roles, establishment and membership of the steering committee should be clearly defined from the outset.
In addition to the steering committee, a broad advisory committee comprising of diverse relevant stakeholders should also be formed, and the members should be engaged to contribute to the process. The stakeholders may include ICT companies, critical-infrastructure operators, academic experts, and non-governmental organizations working on raising cybersecurity awareness and preparedness, amongst others.
Once the various institutional arrangements are put in place, the Project Lead shall draft a plan for developing the National Cybersecurity Strategy, which will be reviewed and approved by the Steering Committee. The Strategy development plan should lay out major steps and activities, key stakeholders, timelines and resource requirements. It should specify how and when relevant stakeholders will be expected to participate in the development process to contribute input and feedback. It should also identify human and financial resources needed, and where these could be procured. Particular attention should be placed on securing long-term funding for the full lifecycle of the project, including its development, implementation and refinement.
Phase 2: Situational Analysis and Risk Assessment
In order to be effective, the National Cybersecurity Strategy needs to reflect the country’s current cybersecurity circumstances. To this end, an evaluation of the country’s current cybersecurity strengths and weaknesses should be undertaken, and relevant materials should be consulted in collaboration with relevant stakeholders across government, private sector and civil society.
Part of this analysis may include the identification of assets and services critical to the proper functioning of the society and economy, and the mapping of existing national laws, regulations, policies, programs and institutions related to cyber security.
Data on existing national cybersecurity programs, regional and international initiatives, private sector projects, ICT and cyber-education and skill-development programs, and digital R&D activities should be collected. Other data that should also be collected for analysis include statistics on Internet penetration, ICT adoption, and technology development; and perspectives on potential ICT and cybersecurity patterns and challenges.
Built on the collected information, an assessment of risks facing the nation related to digital dependency must be conducted. This can be accomplished through defining national digital assets, both public and private, their interdependencies, vulnerabilities and risks, and assessing the probability and potential impact in an event of a cyberattack.
Phase 3: Strategy Drafting
Based on the situational analysis and risk assessment, the Project Lead, in collaboration with the Steering Committee, should initiate the drafting of the Strategy. Dedicated working groups could be created either to focus on specific topics or to draft different sections of the strategy.
The strategy will set out the overall direction for cyber security for the country; express a clear vision and scope; set goals to be accomplished within a specific timeframe; and prioritise them in terms of impact on society, the economy and infrastructure.
The strategy also needs to determine the mandates of the various entities responsible for implementing and establishing cybersecurity policies and regulations within the state. In particular, it should identify the roles and duties of the agencies responsible for collecting intelligence on risks or vulnerabilities, reacting to security attacks, and improving preparedness and handling emergencies.
To ensure that the final strategy is based on a shared vision, the draft strategy should be disseminated across a large stakeholder community, not only restricted to those who engaged in the development process. External feedback can be collected through a variety of engagement mechanisms, including online consultation, validation workshops, and additional working groups.
Phase 4: Implementation Plan
Once the strategy is finalised and approved by the government, an action plan shall be developed to implement it. The National Cybersecurity Strategy outlines the goals and the results the nation wishes to achieve across the different focus areas. The action plan should identify specific programs within each focus area that will help to achieve such goals. These could include planning cybersecurity drills, establishing safety guidelines for critical infrastructure, and creating an incident management system, among others.
While the development of the strategy shall be led by a single authority, its implementation cannot be the sole responsibility of one entity alone. Instead, it requires engagements and coordination with a range of different stakeholders across the government, as well as support from civil society and the private sector. Therefore, when priority projects have been identified, specific government entities are then selected as owners of each of the initiatives. These government entities would be responsible and accountable for the execution of each particular program delegated to them, and they are required to coordinate their efforts with other relevant stakeholders during the implementation process.
In assigning the initiatives to different institutions, it isimportant to understand their respective mandates, capacity and resources. When required, support must be provided to help project owners to identify and secure the required resources in accordance with administrative financial structures of the country.
Another critical element of the Action Plan is the design of common criteria and key performance indicators that measure each of the actions being implemented. Clear deadlines for implementation should also be defined. These indicators and timeframe will facilitate the evaluation of the success of the initiatives during and after their implementation.
Phase 5: Monitoring and Evaluation Plan
To ensure successful monitoring and evaluation of the execution of the strategy, the government will need to create an independent entity accountable for tracking and reviewing the progress and challenges of the implementation.
The establishment of baseline metrics and key performance indicators (KPI) by near-term, mid-term and long-term objectives helps reinforce the governance and management mechanisms. Continuous reviews of the implementation plan (i.e. what is going well and what is not going well) help inform the strategy. Good governance frameworks for execution of the plan should also clearly define accountability and responsibility for ensuring successful implementation.
This approach will ensure that the relevant stakeholders are held accountable to the commitments set. It will also ensure that any obstacles in the execution are recognised or detected early on. It will thus allow the government either to correct the situation or to change its plans accordingly on the basis of the lessons learned in the implementation process.
Developing a holistic cybersecurity strategy is critical for a nation to prevent and respond to cyber risks in our increasingly interconnected world. This paper has outlined five basic steps for policymakers to consider in developing their country’s national cybersecurity strategy. It should be noted that a country’s national policies shall enable that country to collaborate effectively with international partners and to design and comply with existing international obligations. To be truly effective, international norms for cyberspace will need to be implemented at the national level. Policymakers must therefore keep the goals of international norms in mind when developing their national cybersecurity strategy and associated policies.
The opinions expressed are the author’s own and do not reflect the views of the Asian Vision Institute.