International Telecommunication Union

Towards a Multi-stakeholder initiative to develop and improve national

cybersecurity strategies

2

National Cybersecurity Strategies - WHAT• Policy document, Strategy document, Action Plan • Process for review and enhancement• Standalone document or embedded in other

strategies …• Actionable, Sustainable• A public document or not …• Currently over 72 countries have published National

Cybersecurity Strategies• The oldest was issued in 2004 and the latest in 2015..

Some repositories are • ITU http://www.itu.int/en/ITU-

D/Cybersecurity/Pages/National-Strategies-repository.aspx

• ENISAhttps://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/national-cyber-security-strategies-in-the-world

• NATO CCDCOE https://ccdcoe.org/strategies-policies.html

Source: ITU

3

National Cybersecurity Strategies - WHY

• Brings into being the route to building public confidence and trust in the use of ICTs through a coordinated multi-sector response driven by the relevant national agency

• Becomes a necessity as • ICT usage in the country increase• Cyber-attacks proliferates locally and regionally • A wake up call through an attack on a critical (information) infrastructure• Country is identified as a vector for cyber-attacks• Alignment with regional and international principles, resolutions, agreements..

• To leapfrog in Cybersecurity development as part of a bigger socio-economic strategy• Indicates Government commitment to enhancement of Cybersecurity• Justifies the funding and other resources needed to enhance Cybersecurity

There are other valid reasons..

4

National Cybersecurity Strategies - HOW

• Have a champion leading the work and ensuring that deliverable will move into implementation phase

• Set up a dedicated local team with the relevant representation and expertise• Contract Consultancy / Expert services / bi-laterals with nations having expertise in NCS

elaboration• Use existing models, tools and resources • Identify the appropriate resources … how do nations do that ??

• Let’s reduce the Confusion & Overlaps and create effective SYNERGIES

And there are more great resources…

2011 2012 2013 2013 2014

5

All project partners contribute their knowledge and expertise in the National Cyber Security domain, thereby providing a high added value to the toolkit definition

15 Partners who have been active in devising models and implementing cybersecurity strategies

ENISA

Comprehensive and not exhaustive …

Devise tools, guidelines, principles, checklists…Implement National Cybersecurity StrategiesProvide funding for National Cybersecurity Strategies development / implementations

Co-authored Multi-stakeholder approach

6

The role, objectives and scope of a National Cyber Security Strategy in a line with the UN SDGs

The definition/publication/review process: the Governance Model

National and International Standards and government compliance program

Critical Infrastructure Protection and integration with other national security/emergency programs

National Risk Management program

Implementation strategies for the Government

National Incident Response/CERT -integration/alignment with Military/Intelligence

Implementation strategies for Private Sector

The definition/publication/review process: the Awareness Programme

Aspects not typically covered by public strategies that should be considered and addressed

A single resource for any country to gain a clear understanding of National Cyber Security Strategy in terms of:– the purpose and content– how to go about developing a strategy,

including strategic areas and capabilities– the relevant models and resources available– the assistance available from various

organisations and their contact details

FORMAT: 15-20 page Word / PDF

NCS Guide

A simple tool that allows national governments and stakeholders to:– Evaluate their current status in each of the

strategic areas identified in the reference guide– Evaluate their current status in cyber security

lifecycle management– Easily identify key areas for improvement– Provide a means for measuring improvements

over time

FORMAT: Excel or web-based worksheet

Support Tool

Examples of Topics To Be Addressed Components of Toolkit

Let’s create a toolkit to help nations to develop or improve their national cyber security strategies

7

Source: ITU / Intellium preliminary analysis

GEOGRAPHICFOCUS

Global:Designed for use in all countries

Regional:Tailored for use in a specific region / political alliance

Which countries / regional areas the

model / tool focuses on

TARGET STRATEGY APPLICABILITY

New:Provides guidance in developing a new strategy

Existing:Helps to evaluate existing strategies

Designed to define a strategy or to evaluate

an existing strategy

AREAS OF IMPROVEMENT

Identify:Identifies improvement areas

Address:Provides solutions for improvement areas

Helps to identify areas of improvement and how to address them

LINKAGE/REFERENCETO OTHER MODELS

Global:Refers to globally focused models

Regional:Refers to regionally focused models

Establishes links to existing guidelines

/references

DESIGNED FOR ASSESSING

IMPROVEMENTS

Indicators:Good practice indicators for each component of the strategy that can be measured repeatedly over time

Includes functionality for measuring

improvements over time

1 2 3 4 5

DEFINITION

PARAMETER

Five key elements considered when designing the toolkit

8

First Partner’s Workshop – Feb 2016@ITU HQ Geneva

• Agreement on approach for a toolkit with a Reference Guide and an Evaluation component• Agreement on overall structure of Reference Guide

• Life cycle management process – PDCA adaptation• Horizontal cross cutting principles e.g. coordination, HR fundamental values, Responsibility

& Accountability• 8 Strategic Areas : National Cybersecurity Governance, National Cybersecurity Framework,

Critical infrastructure protection, National Incident Response, Capability Development, National Awareness & Workforce building, Legal frameworks, International Collaboration

• Good Practice for each Strategic area

9

Sample Strategic Area & GPI

WORK IN PROGRESS

STRATEGIC AREA 4 – NATIONAL INCIDENT RESPONSE

Description: detection of and response to cyber incidents of national interest in a coherent

manner with continuous improvement of response capabilities and coordination

GPIs:

4.1 Define what should be considered a

national-level cyber security incident

according to Impact-based guidelines

4.2 A national CERT (Computer

Emergency Readiness Team)

coordinates relevant stakeholders at

national / regional /international level in

both public and private sectors across

the complete incident response

lifecycle including preparation,

prevention, response, and recovery

4.3 Requirements for Government

agencies and Critical Infrastructure

operators shall be defined

(establishment of CERTs, Point of

Contacts, Incident/breach notification,

etc.)

4.4 Established contingency plans outline

principles and guidelines for actions to

be taken by relevant stakeholders in

the event of a national cyber security

incident.

4.5 Cybersecurity exercises are conducted

at the national level and relevant

stakeholders participate in exercises,

at the national and/or

regional/international level (through

coordination with the national

CIRT/CERT/CSIRT) to evaluate and

Reference to existing guidelines:

ITU, National Cybersecurity Strategy

Guide, sections: 11.3, 17.3

GCSCC, Cyber Security Capability

Maturity Model, section: Dimension 1-2

CTO, Commonwealth Approach for

Developing National Cyber Security

Strategies, section: 4.7.5

MS, Developing a National Strategy for

Cybersecurity, section: Building Incident

Response Capabilities

ENISA, Guidebook on National Cyber

Security Strategies, section: 3.6, 3.7,

3.10, 3.14

OECD, Digital Security Risk

Management for Economic and Social

Prosperity, section: 2-B

Handbook for Computer Security

Incident Response Teams (CSIRTs),

2nd Edition, April 2003,

NATO CCD COE, National Cyber

Security Guidelines, Guidelines, section:

3.3

Potomac Institute for Policy Studies,

Cyber Readiness Index, section 2

10

Second Partner’s Workshop – June 2016@Oxford University, UK

• Refined the NCS Guide and developed the Support tool’s specifications• Presentations of relevant tools being worked on by World Bank and Rand Europe• Agreement on

• Processes for NCS development• Review of NCS Guide • Additions to Support Tool• Next workshop host and venue

11

Proposed Next Steps

• Partners review and ITU harmonization cycles until early October 2016• Third Partner’s workshop in mid October in Washington DC hosted by OAS• Pilots as from December 2016 • Regular information sharing among partners : new version of products, implementation sites,

feedback, events, … • Annual partners meeting and tool review every 2 years ..

12

Ultimate aim

• Facilitate approach of Member States towards elaborating, reviewing and evaluating their National Cybersecurity Strategies

• Harmonise efforts of all stakeholders who devise tools, guidelines, checklists and more

• Optimise use of resources in enhancement of the tools based on technology changes, lessons learnt and more

• Information sharing for effective, sustainable National Cybersecurity Strategies – a commitment from Government

13

Thank you cybersecurity@itu.int

www.itu.int