Information and communication technologies (ICTs) have become critical catalysts for sustainable development. Yet no country will be able to reap the full potential of ICTs without also building cybersecurity capacity to address the risks associated with connectivity, such as losing trust in digital infrastructures, cybercrime, or even threats to national security. Still, in many nations, and especially those in the process of developing their ICT infrastructures, security often remains an afterthought. But increasing cybersecurity capacity is not only in the interest of individual countries – in a globally connected world where vulnerabilities in one country create risks for others, building resilient systems is crucial. Cybersecurity capacity building (CCB) is key to both mitigating these negative cross-border externalities and maximizing the benefits of ICT-led development.
Cybersecurity Capacity Building Today
Cybersecurity Capacity Building refers to a set of initiatives that empowers individuals, communities, and governments to reap potential gains from investments in digital technologies, or what the World Bank calls “digital dividends.” To do so, an engaged community of experts has formed to set up computer security incident response teams, provide support in developing national cybersecurity strategies, and carry out awareness-raising campaigns, among other initiatives. A number of maturity models have been developed to assess and benchmark cybersecurity capacity, and the Global Forum for Cyber Expertise (GFCE) was created as a first attempt to exchange and pool international expertise on CCB.
Early adopters in governments and international organizations as well as nonstate actors have increasingly recognized the relevance of CCB to address the risks of connectivity: states such as the UK, Netherlands, or the US, international and regional organizations including the OAS, ITU, and the EU and other actors like Oxford University or Microsoft are slowly lending support and resources to building capacity. For some, CCB has even become a tool for foreign policy – as a means to advocate for a particular model of internet governance, create market access for domestic companies, or promote specific technical standards.
Despite international recognition and an increasing number of incentives, the present supply falls short of what is needed to transform cybersecurity from an afterthought into an integral part of expanding connectivity. Efforts are often under-funded and uncoordinated – both within and between countries – and only few lessons learned and best practices are available. There is little exchange, let alone integration, between cybersecurity and development actors as well as diplomats. As a result, awareness of capacity building pitfalls that have plagued efforts in other areas is increasing slowly.
Five Principles to Address Current Gaps
To help close aforementioned gaps in ongoing efforts and to provide guidance on scaling CCB going forward, we advocate for a principle-based approach. Based on interviews we conducted with over forty experts in the field as well as a broad literature review, we suggest the following five guiding principles: national and international coordination and cooperation; integration of cybersecurity and development expertise; ownership of the recipient-country; sustainability of efforts; and continued and mutual learning.
For each of the principles, we suggest a goal – that is, an ideal set-up –, analyze the status quo, and provide recommendations on how to work towards the goal. Our key take-aways are:
The Need for Political Leadership
As these recommendations show, there is an opportunity to make use of both cybersecurity expertise and existing knowledge and experience on how (not) to build capacity abroad, especially in the cybersecurity, development and diplomatic communities. However, CCB currently lacks the necessary top-level leadership attention and support to seize this opportunity. Depending on the direction that leadership takes, CCB will either “muddle through” or “keep pace”– two plausible scenarios that we develop at the end of the study. In both, exponential growth in connectivity appears to be a given; less certain is how cybersecurity capacity will evolve.
Germany is one of the countries that is well placed to take on a key role in the field. While current efforts are still at a nascent stage, Germany has one of the world’s most advanced ICT systems, boasts a strong international network, and can draw upon capacity building efforts in other areas. First, Germany should lead by example in terms of its domestic setup. This means devising a clear strategy that cuts across the turf concerns of different organizations and involves government and non-government actors alike. In parallel, a discussion needs to take place on how to mobilize funding – a conversation that needs to specifically include the Bundestag. Based on a strong domestic performance, Germany could become a catalyst for global action: utilizing its diplomatic relations with countries from the Global South, Germany could advocate for investing in resilient ICT infrastructures, provide necessary CCB measures in partner countries, and support the strengthening of multilateral efforts.
by Mirko Hohmann
by Graham Webster, Niklas Kossow
Transatlantic Digital Debates 2017
by Mirko Hohmann, Alexander Pirang
Council on Foreign Relations