Last month, INTERPOL cybercrime experts travelled to Sri Lanka to advise local police officers on cybercrime investigations and the development of digital forensics capabilities. Similar workshops have slowly been set up in various countries where digital infrastructures are being developed, and they are a crucial step to increase the security and resilience of tomorrow’s digital global landscape.
As more than half of the world’s population is still offline, large-scale efforts are currently directed at extending internet connectivity in order to bridge the digital divide. Yet, massively expanding connectivity also increases the cybersecurity risk individuals and organizations face.
Neglecting cybersecurity has negative consequences on two fronts. First, developing countries will not be able to reap the full benefits of information and communication technologies (ICTs) if security considerations are not taken into account. These nations, which are expanding access rapidly, will be especially vulnerable to cybercrime, data breaches, and attacks on critical infrastructures if their systems are insecure from the start. There even are real concerns that attacks have the potential to take entire countries offline, as was the case in an alleged recent denial of service attack on Liberia’s internet infrastructure.
Second, insecure infrastructure in the developing world can have negative impacts on developed nations. In an increasingly interconnected digital ecosystem, insecure networks in one place can be abused to disrupt infrastructure around the globe. Similarly, without effective domestic law enforcement capabilities, safe havens for cybercrime can arise. As more users and devices go online, the potential for cross-border problems is increasing exponentially.
These developments should push all countries to improve the resilience of the weakest systems connected to the internet. Cybersecurity capacity building (CCB) is critical to this effort. CCB initiatives encompass a broad set of activities, such as supporting governments in developing national cybersecurity strategies or enhancing the technical capabilities of local CSIRTs. A number of maturity models have been developed to assess and benchmark cybersecurity capacity, and the Global Forum for Cyber Expertise (GFCE) was created as a first attempt to exchange and pool international expertise on CCB. The UN GGE has pointed to CCB as a means to “bridge the divide in the security of ICTs and their use.”
Despite an engaged community of experts and an increasing number of projects, present efforts still fall short of what is needed to transform cybersecurity from an afterthought into an integral part of expanding connectivity. Initiatives are often under-funded and uncoordinated—both within and between countries—and only few best practices have been identified. In addition to gaps in capacity, there is little exchange—let alone integration—between cybersecurity experts, development actors and diplomats. As a result, awareness of capacity building pitfalls that have plagued efforts in other areas is increasing only slowly.
In a new report, we make the case that these gaps can be addressed in three ways.
First, cybersecurity and international development experts must integrate their efforts. Otherwise, increases in connectivity, aided by development funding, are likely to outpace the resilience of the networks being connected. At the same time, cybersecurity professionals run the risk of failing to incorporate the strategies—honed over decades—that make development programs work.
Second, coordination and cooperation among donors must improve. Most donor countries have taken a piecemeal approach to CCB. Improved coordination at the international level, such as through the GFCE, is necessary to avoid duplication and to facilitate exchange. Efforts should include civil society, academia and the private sector, as government-led efforts will not be sustainable unless they are not linked to actors on the ground over the long term.
Third, continued and mutual learning is crucial to future efforts. Given that CCB efforts are still relatively new, there is little knowledge on what strategies have worked and why. Although a lack of successful projects should not deter action, there is a need to be transparent about whether a particular initiative was successful. That requires developing benchmarks and best practices. Existing maturity models such as the Cyber Readiness Index or the Cyber Security Capacity Maturity Model could serve as starting points.
Implementing these recommendations will require political leadership in donor countries to ensure the cybersecurity and development communities talk to each other. Unfortunately, CCB efforts garner less attention than more high profile issues such as cyber espionage. The UN GGE gets a lot of attention in cyber policy circles and is expected to issue a report this summer. Having the GGE elevate the importance of connecting the security and development communities would go a long way in promoting the importance of cybersecurity capacity building.
This commentary was originally published by the Council on Foreign Relations on April 12, 2017.
by Thorsten Benner, Mirko Hohmann
by Mirko Hohmann, Thorsten Benner
by Thorsten Benner