Since its creation, Information and Communication Technology has evolved to become the backbone of modern business, critical services and infrastructure, social networks, and the global economy as a whole.
As a result, national leaders have started to launch digital strategies and to
fund projects that increase Internet connectivity and leverage the benefits
stemming from the use of ICTs, to stimulate economic growth, to increase
productivity and efficiency, to improve service delivery and capacity, to
provide access to business and information, to enable e-learning, to enhance
workforce skills and to promote good governance. Countries cannot ignore the
opportunities associated with becoming connected and participating in the
Internet economy.
While the reliance of our societies on the digital infrastructure is growing,
technology remains inherently vulnerable. The confidentiality, integrity
and availability of ICT infrastructure are challenged by rapidly evolving
risks, including electronic fraud, theft of intellectual property and personal
identifiable information, disruption of service, and damage or destruction of
property. The transformational power of ICTs and the Internet as catalysts for
economic growth and social development are at a critical point where citizens’
and national trust and confidence in the use of ICTs are being eroded by
cyber-insecurity.
To fully realise the potential of technology, states must align their national
economic visions with their national security priorities. If the security risks
associated with the proliferation of ICT-enabled infrastructure and Internet
applications are not appropriately balanced with comprehensive national
cybersecurity strategies and resilience plans, countries will be unable to
achieve the economic growth and the national security goals they are seeking.
In response, nations are developing both offensive and defensive capabilities
to defend themselves from illicit and illegal activities in cyberspace and to
pre-empt incidents before they can cause harm to their nations. This document
will look specifically at defensive responses, particularly in the form of national
cybersecurity strategies.
Several national and international definitions of the term “cybersecurity”
exist. For the purpose of this document, the term “cybersecurity” is meant
to describe the collection of tools, policies, guidelines, risk management
approaches, actions, trainings, best practices, assurance, and technologies
that can be used to protect the availability, integrity, and confidentiality
of assets in the connected infrastructures pertaining to government,
private organisations, and citizens; these assets include connected
computing devices, personnel, infrastructure, applications, digital services,
telecommunications systems, and data in the digital-environment.
2.1
What is
cybersecurity2.2
Benefits of
a National
Cybersecurity
Strategy
and strategy
development
processNational cybersecurity strategies can take many forms and can go into varying
levels of detail, depending on the particular country’s objectives and levels
of cyber-readiness. Therefore, there is no established and commonly agreed
definition of what constitutes a National Cybersecurity Strategy.
Relying on existing research in this area, this document encourages
stakeholders to think of a National Cybersecurity Strategy as:
• an expression of the vision, high-level objectives, principles and priorities
that guide a country in addressing cybersecurity;
• an overview of the stakeholders tasked with improving cybersecurity of
the nation and their respective roles and responsibilities; and;
• a description of the steps, programmes and initiatives that a country will
undertake to protect its national cyber-infrastructure and, in the process,
increase its security and resilience.
Setting the vision, objectives, and priorities upfront enables governments
to look at cybersecurity holistically across their national digital ecosystem,
instead of at a particular sector, objective, or in response to a specific risk – it
allows them to be strategic. Priorities for national cybersecurity strategies
vary by country, so while the focus for one country may be addressing
critical infrastructure-related risks, for others it may be protecting intellectual
property, promoting trust in the online environment, or improving cybersecurity
awareness of the general public or a combination of these issues.
The need to identify and subsequently prioritise investments and resources
is critical to successfully managing risks in an area as all-encompassing
as cybersecurity.
A National Cybersecurity Strategy also provides the opportunity to align
cybersecurity priorities with other ICT-related objectives. Cybersecurity
is central to achieving socio-economic objectives of modern economies
and the Strategy should reflect how those are supported. This can be done
by referencing existing policies that seek to implement a country’s digital
or developmental agendas or by assessing how cybersecurity can be
incorporated into them.
Finally, a National Cybersecurity Strategy development process should
translate a government’s vision into coherent and implementable policies that
will help it achieve its objectives. This includes not only the steps, programmes
and initiatives that should be put in place, but also the resources allocated for
those efforts and how these resources should be used. Similarly, the process
should identify the metrics that will be used to help ensure that desired
outcomes are achieved within set budgets and timelines.
As a result, national leaders have started to launch digital strategies and to
fund projects that increase Internet connectivity and leverage the benefits
stemming from the use of ICTs, to stimulate economic growth, to increase
productivity and efficiency, to improve service delivery and capacity, to
provide access to business and information, to enable e-learning, to enhance
workforce skills and to promote good governance. Countries cannot ignore the
opportunities associated with becoming connected and participating in the
Internet economy.
While the reliance of our societies on the digital infrastructure is growing,
technology remains inherently vulnerable. The confidentiality, integrity
and availability of ICT infrastructure are challenged by rapidly evolving
risks, including electronic fraud, theft of intellectual property and personal
identifiable information, disruption of service, and damage or destruction of
property. The transformational power of ICTs and the Internet as catalysts for
economic growth and social development are at a critical point where citizens’
and national trust and confidence in the use of ICTs are being eroded by
cyber-insecurity.
To fully realise the potential of technology, states must align their national
economic visions with their national security priorities. If the security risks
associated with the proliferation of ICT-enabled infrastructure and Internet
applications are not appropriately balanced with comprehensive national
cybersecurity strategies and resilience plans, countries will be unable to
achieve the economic growth and the national security goals they are seeking.
In response, nations are developing both offensive and defensive capabilities
to defend themselves from illicit and illegal activities in cyberspace and to
pre-empt incidents before they can cause harm to their nations. This document
will look specifically at defensive responses, particularly in the form of national
cybersecurity strategies.
Several national and international definitions of the term “cybersecurity”
exist. For the purpose of this document, the term “cybersecurity” is meant
to describe the collection of tools, policies, guidelines, risk management
approaches, actions, trainings, best practices, assurance, and technologies
that can be used to protect the availability, integrity, and confidentiality
of assets in the connected infrastructures pertaining to government,
private organisations, and citizens; these assets include connected
computing devices, personnel, infrastructure, applications, digital services,
telecommunications systems, and data in the digital-environment.
2.1
What is
cybersecurity2.2
Benefits of
a National
Cybersecurity
Strategy
and strategy
development
processNational cybersecurity strategies can take many forms and can go into varying
levels of detail, depending on the particular country’s objectives and levels
of cyber-readiness. Therefore, there is no established and commonly agreed
definition of what constitutes a National Cybersecurity Strategy.
Relying on existing research in this area, this document encourages
stakeholders to think of a National Cybersecurity Strategy as:
• an expression of the vision, high-level objectives, principles and priorities
that guide a country in addressing cybersecurity;
• an overview of the stakeholders tasked with improving cybersecurity of
the nation and their respective roles and responsibilities; and;
• a description of the steps, programmes and initiatives that a country will
undertake to protect its national cyber-infrastructure and, in the process,
increase its security and resilience.
Setting the vision, objectives, and priorities upfront enables governments
to look at cybersecurity holistically across their national digital ecosystem,
instead of at a particular sector, objective, or in response to a specific risk – it
allows them to be strategic. Priorities for national cybersecurity strategies
vary by country, so while the focus for one country may be addressing
critical infrastructure-related risks, for others it may be protecting intellectual
property, promoting trust in the online environment, or improving cybersecurity
awareness of the general public or a combination of these issues.
The need to identify and subsequently prioritise investments and resources
is critical to successfully managing risks in an area as all-encompassing
as cybersecurity.
A National Cybersecurity Strategy also provides the opportunity to align
cybersecurity priorities with other ICT-related objectives. Cybersecurity
is central to achieving socio-economic objectives of modern economies
and the Strategy should reflect how those are supported. This can be done
by referencing existing policies that seek to implement a country’s digital
or developmental agendas or by assessing how cybersecurity can be
incorporated into them.
Finally, a National Cybersecurity Strategy development process should
translate a government’s vision into coherent and implementable policies that
will help it achieve its objectives. This includes not only the steps, programmes
and initiatives that should be put in place, but also the resources allocated for
those efforts and how these resources should be used. Similarly, the process
should identify the metrics that will be used to help ensure that desired
outcomes are achieved within set budgets and timelines.