WS 111 Understanding Effective Cyber Security Capacity Building: Summary Workshop Session: IGF Day 2; Wednesday, November 11th, 14:00-­‐15:30 in Workshop Room 4 Outline of Workshop Summary •
•
•
•
•
Session participants Substantive summary Section 1 – Highlights of panellists’ comments Section 2 – Questions posed by attendees Section 3 – Conclusions drawn from workshop and possible follow-­‐up actions Session Participants Moderator: •
Ms Lara Pace, Knowledge Exchange Manager, Global Cyber Security Capacity Centre (GCSCC), University of Oxford Panellists: •
•
•
•
Mr Taylor Roberts, Research Fellow, GCSCC, University of Oxford Ms Natalija Gelvanovska, Senior ICT Policy Specialist, Transport & ICT, World Bank Group (remote video participation) Ms Barbara Marchiori de Assis, Cyber Security Consultant, Organization of American States (OAS) Mr Ryan Johnson, Consultant, Managing Partner, Neo Globe Consulting Apologies from the government of Bhutan due to illness day prior to travel. Rapporteur: •
Mr Taylor Roberts (above) Number of attendees: •
Estimated: more than 90 on-­‐site, 10 online Substantive Summary As Information and Communication Technologies (ICT) deployment and the use of the Internet increases, so do the risks which accompany it. Cybersecurity capacity building efforts thus have become a priority, not only for governments, but also for the private sector and civil society around the world. These actors increasingly implement programmes, initiatives and institutions regarding security, and it is therefore important to consider the effectiveness of these investments to ensure that these efforts are made in a sustainable manner with maximum impact. The Global Cyber Security Capacity Centre (GCSCC) was established to develop approaches to understanding effective cybersecurity capacity building in order to both enhance stakeholder decision-­‐making and strategic thinking around of global cyber capacity. The workshop summarised the work made by the centre to gain a better understanding of cybersecurity capacity building through deployment of its Cyber Security Capability Maturity Model (CMM) in cooperation with international partners such as the World Bank, Organization of American States, and others. After providing an insight into context and objectives of the GCSCC, Mr Taylor Roberts, provided a background of the CMM developed to help understand the current state of global cybersecurity capacity. The following panellists, Ms Natalija Gelvanovska and Ms Barbara Marchiori de Assis, described how their respective programmes of work were supported through the deployment of the model. Mr Ryan Johnson then provided insight on how civil society can continue to be engaged in cybersecurity capacity building, citing particular examples of civil society involvement in the implementation of the CMM. Finally, Mr Roberts spoke to how analysing the relationships between the model and quantitative metrics for cybersecurity might help identify the impact and effectiveness of cybersecurity initiatives and provide more strategic investments into these areas. The statements from the panel were then followed by several questions from the audience, both present and participating online, which prompted good discussion among the panel and participants about specific elements of cybersecurity capacity. Section 1 – Highlights of Panellists’ Comments •
•
•
•
Mr Taylor Roberts: The CMM seeks to help a nation review their cybersecurity capacity across five dimensions of capacity: strategy, society and culture, knowledge building, legal, and technology. The CMM was developed in cooperation with international experts from academia, government, industry, technological and civil society. Through implementing the CMM, a country can review its existing cybersecurity capacity and identify a series of next steps the country could take in order to increase this capacity or the maturity of existing capacities. The CMM has been implemented in ten countries thus far alongside several international organisations in order to enhance their respective programmes of work. Ms Natalija Gelvanovska: Natalija identified the importance of gaining an inclusive and comprehensive understanding of cybersecurity before making investments into ICT. As the World Bank has several substantial investments in those technologies, it is collaborating with the GCSCC in order to enhance its own internal capacity to consider cybersecurity. Both institutions teamed up in four missions to partner countries. In one of the missions, specifically in Kosovo, there has been significant follow-­‐up regarding the recommendations provided by both parties. Ms Barbara Marchiori de Assis: The OAS, through a project with the Inter-­‐American Development Bank has recently conducted a study of cybersecurity capacity across the Americas which was premised on an application tool developed from the Capacity Maturity Model. A regional report is currently being put together and is shortly to be published outlining the maturity of capacity in Latin America and the Caribbean. It is hoped that these reviews will continue to take place on a regular basis, internalising the learning from these countries into the capacity maturity model. Mr Ryan Johnson: Mr Johnson stressed the importance of international cooperation and multistakeholder approaches, especially civil society, participation in such multidisciplinary processes. Through the building of a global understanding of what effective cybersecurity capacity is, stakeholders from across nation states and the international community are enabled to create meaningful cooperation, and contribute to a decrease of duplication, in particular reference to understanding existing gaps in capacity building. Section 2 – Questions posed by attendees •
•
•
•
•
•
•
•
Telecom representative from India pointed out the need for government support of industry development on capacity building Online participant from Nigeria asked what the model provides for human capacity KITANET questioned who bares the cost and who has the role of coordination for cybersecurity UNEC Africa commented that it looks at cybersecurity capacity from three pillars and drew particular attention to the capacity to combat cybercrime; the WSIS review in Africa put cybersecurity in its proposal Civil society representative from Brazil asked about the role of education in the model A member of the Brazilian army questioned whether there is a definitive line between the responsibility of security forces and local response for cyber incidents A participant from Mexico asked for an authoritative document on combating cybercrime Microsoft commented on how cybersecurity capacity building is important in a broader social context, which implicitly effects the company’s work environment Section 3 – Conclusions drawn from discussion and possible follow-­‐up actions The workshop provided significant information update on the efforts by the GCSCC, thus promoting its international strategy and programmes of work. It further emphasised the need for the global community to work together in order to build a common understanding of what capacity for cybersecurity may or should be. Follow-­‐up actions from this session include the formulation of a workshop at the next IGF to present the Harm Model which the centre is currently developing. Together with the CMM and the Harm Model, the GCSCC hopes to provide all stakeholders, in particular those governments leading efforts to build cybersecurity capacity across their nations, a comprehensive framework to guide and better inform their strategic investments in cyber.