It is undoubtedly challenging to craft and execute a national cybersecurity strategy. Our research reveals common elements of successful strategies.
Against a backdrop of escalating geopolitical and geo-economic tensions, one of the biggest threats nations face today is from state-sponsored cyber warfare. From election interference to the alleged attempted theft of sensitive COVID-19 vaccine research to power-supply cutoffs for nearly a quarter-million people, state-sponsored cyberattacks are infiltrating the critical infrastructure of countries around the world.
Not just state actors but also nonstate actors today have more technical prowess, motivation, and financial resources than ever before to carry out disruptive attacks on a country’s critical infrastructure. Any attack on critical infrastructure in one sector of a country can lead to disruption in other sectors as well. An attack on a country’s telecommunications, for example, may disrupt electronic payments.
But this is just part of the problem. Today, individuals and businesses are more dependent than ever on digital connectivity in virtually every aspect of their existence. Most people cannot imagine going even a few hours without access to the internet. Globally, an estimated 127 new devices connect to the internet every second. Any disruption in digital connectivity is considered an obstacle in the path of progress.
Owing to the COVID-19 pandemic, our dependence on all matters digital has increased dramatically. With remote working having become integral to our economies and the medical response, the rising dependence of citizens and businesses on everything digital is only going to continue.
With every new device, user, and business that connects to the internet, however, the threat of cyberattacks increases. If a government cannot provide secure and trusted digital connectivity, societies can’t prosper and economies won’t thrive.
About the researchNo government can eliminate all possible threats. But some have excelled in creating, implementing, and refining national cybersecurity defense strategies. We identified those governments based on these two criteria:
1. Global Cybersecurity Index (GCI) rank. The International Telecommunication Union publishes the GCI, which “measures the commitment of countries to cybersecurity at a global level—to raise awareness of the importance and different dimensions of the issue.” 1 Global Cybersecurity Index, International Telecommunication Union, itu.int. To qualify for our study, countries needed to be ranked in the GCI’s top 30 in 2018. Many experts believe that the GCI’s methodology has room for improvement. Still, it is the only global index measuring cybersecurity maturity of countries that has gained traction and is actively used by several countries to measure their own progress.
2. Network Readiness Index (NRI) rank. Published by the Portulans Institute, the NRI assesses the progress and readiness of technology adoption in countries around the world in terms of technology, people, governance, and impact. To qualify for our study, countries needed to be ranked in the top 30 of the NRI. 2 Soumitra Dutta and Bruno Lanvin, eds., The Network Readiness Index 2019: Towards a future-ready society, Portulans Institute, 2019, networkreadinessindex.org.
Together, these criteria help to identify nations that are combating cybersecurity risks through comprehensive efforts at a national level. We are not evaluating the countries on their performance but choosing a few that might have lessons for other countries around the world. These nations have invested considerable resources to improve their cybersecurity. Based on this methodology, the following countries were included for our benchmarking analysis: Australia, Canada, China, Estonia, France, Germany, Israel, Singapore, South Korea, the United Kingdom, and the United States (exhibit).
We made exceptions for China and Israel. We believe China is a worthy addition given its sheer scale and the progress it has made in digital innovation across sectors in recent years. Similarly, in the past five years, Israel’s cybersecurity ecosystem has grown faster than nearly any other in the world. Israel accounts for less than half a percent of global GDP, but in 2018 a whopping $1.2 billion—nearly 20 percent of worldwide venture-capital investment in cybersecurity—went to Israeli cybersecurity start-ups. 3 Nir Falevich, Cybersecurity Report 2019: Key Insights into israeli cybersecurity—looking back at 2018, moving into 2019, Start-Up Nation Central, startupnationcentral.org.
As a result, more than 100 governments have developed national cybersecurity defense strategies to combat the cybersecurity risks that their citizens, businesses, and critical infrastructure face. To help up-and-coming governments, we studied and benchmarked the cybersecurity strategies of 11 nations (see sidebar, “About the research”).
While countries have taken a wide variety of approaches to cybersecurity defense, we have identified five common elements of successful national strategies. We explore those strategies in this article. The dangers relating to cybersecurity are constantly evolving, and the stakes are high. Governments that focus their efforts in these five places might be in a better position to prevent cyberattacks, mitigate their damage, and better protect their citizens, businesses, and critical infrastructure.
These are the five elements of successful national cybersecurity strategies:
Best-in-class countries give a single entity—usually referred to as a national cybersecurity agency—the overall responsibility of defining and driving the cybersecurity agenda of the entire country. This involves developing a cohesive national cybersecurity strategy with a portfolio of initiatives, among them protecting the critical infrastructure of the country, mobilizing the response to cyber incidents, defining cybersecurity standards, improving the cyber awareness of citizens, and developing the cybersecurity capabilities of professionals.
Fulfilling these responsibilities requires the NCA to have adequate in-house technical skills and expertise. To fill any capability gaps, the NCA typically partners with and mobilizes other government entities as well as the private sector. The United Kingdom’s National Cybersecurity Agency, for instance, works closely with other government entities, such as the Department for Digital, Culture, Media & Sport, to improve capabilities of the cybersecurity professionals in the country.
When setting up an NCA, countries can consider design choices, such as:
Approaches to these design choices vary even among leading countries but typically reflect a country’s political philosophy, federal government structure, maturity of cyber capabilities, and overall cybersecurity aspirations.
If an NCA could only focus on one aspect of cybersecurity, it should be protecting the critical infrastructure of the country. Critical infrastructure is typically the most attractive target for hostile state actors. Disruption to critical infrastructure can have an impact on the economy, business confidence, society, and even overall national security. Critical infrastructure typically consists of both information technology and operational technology, which makes it harder and more complicated to protect. Our study found that the best-in-class National Critical Infrastructure Protection programs focus on the following three success factors:
Prioritized critical sectors and assets. A country typically determines whether a sector is critical based on how significant a role it plays in ensuring the health of the economy, well-being of the society, and national security of the country. For example, the European Union’s Network and Information Security (NIS) directive considers energy, transport, digital infrastructure, healthcare, and water critical sectors to protect. Our global benchmark analysis of 11 countries reveals that the majority of those countries have identified 11 critical sectors, ranging from energy (oil, gas, and nuclear power) to healthcare and emergency services.
Would you like to learn more about our Public & Social Sector Practice?Typically, an NCA works with the regulator of each critical sector to prepare criteria for what should constitute critical assets in that sector. For example, in the United Kingdom, the Department for Business, Energy & Industrial Strategy considers any company that supplies electricity to more than 250,000 final customers to be critical.
Globally recognized cybersecurity standards to protect critical assets. Best-in-class countries recommend that organizations in critical sectors comply with globally recognized cybersecurity standards, such as the ones defined in the US National Institute of Standards and Technology’s Cybersecurity Framework. Employing a globally accepted standard makes it easier for organizations to comply since it’s likely that their cybersecurity teams are already familiar with it. Similarly, the European Union’s NIS directive aims to achieve a common, high level of network- and information-systems security across all critical-sector entities in EU countries.
Robust governance mechanism. In many countries, tension exists between the regulating entity and the enforcement entity. This is the reason why it is critical to the success of the National Critical Infrastructure Protection program that a robust governance mechanism be in place between the NCA, which formulates the strategy, governance, and technical standards of a country’s overall National Critical Infrastructure Protection program, and the sector regulators, which are responsible for creating awareness about and enforcing the cybersecurity standards in their respective sectors.
To meet the unique needs of specific sectors, regulators in some countries may recommend additional sector-specific cybersecurity standards as well. In the United States, to secure credit-card transactions and related personally identifiable data, all companies that handle card payments must comply with the Payment Card Industry Data Security Standard. To ensure compliance, sector committees typically audit sectoral entities on a periodic basis and may choose to apply incentives or penalties.
Cyberattacks are inevitable, so every government needs to develop a national incident response and recovery plan to mitigate the effects of cyber incidents and improve recovery time. Our study found that the best-in-class plans focus on six important elements:
Clearly defined reporting procedure for citizens and businesses. Best-in-class countries clearly define to whom their citizens and businesses should report cyber incidents. For example, in the United Kingdom, the National Cyber Security Centre (NCSC) is a single point of contact for all businesses—and, increasingly, citizens—to report cyber incidents. In the back end, it is critical to build a centralized repository across government entities that captures data related to all cyber incidents in the country. This will enable governments to gather insights and intelligence and respond more effectively to cyber incidents.
Active monitoring for cyberthreats. In addition to passively recording all reported cybercrimes, governments must actively monitor the internet for cyberthreats. For example, 24 hours a day, seven days a week, the US National Security Operations Center monitors security threats entering the United States and combines network patterns with existing national-security intelligence to assess threats.
Multiple sources of threat intelligence. To supplement traditional sources of threat intelligence, best-in-class governments establish additional channels. For instance, in 2013 the United Kingdom launched the Cyber Security Information Sharing Partnership, which features a platform where the government and the private sector can share threat intelligence quickly and confidentially.
Proactive efforts to combat cyberthreats. Best-in-class countries use data from both active and passive sources to initiate actions to combat cyberthreats facing the country. For example, the NCSC in the United Kingdom launched the Active Cyber Defence initiative to tackle cyberthreats in an automated and scalable manner. If a threat such as malicious content is detected on a website, the NCSC proactively blocks it across the entire country and works with the hosting company to take it down.
Standardized severity-assessment matrix. The benchmark countries classify each cyber incident based on its severity in terms of loss of life, national security, public confidence, type of victim, and interdependence, among other dimensions. The hacking of a major bank may be classified as a high-severity incident, while the hacking of a small business may be classified as a low-severity incident. A standardized matrix provides all incident respondents with a common language for cyber incidents of different severity levels.
Robust mobilization plan to respond effectively to cyber incidents. In conjunction with the severity-assessment matrix, each country should develop a robust mobilization plan that defines which government entities should respond to a cyber incident and what role each should play. The responding agencies typically vary depending on the severity level of the incident. In the event of a low-severity incident, such as a small enterprise being hacked, the local police might respond and the NCA might share guidance on its portal for the benefit of other small and midsize enterprises. However, in the event of a national emergency, such as the targeting of a power grid, multiple government entities are expected to respond—including the police, energy-sector regulators, intelligence agencies, and the NCA itself. Depending on the consequences of the attack, there may also be a requirement for political leadership.
As governments develop cybersecurity laws to prevent, investigate, and take actions against cybercrimes, they should focus on two success factors:
Robust substantive and procedural cybersecurity laws. Governments need to decide which aspects of cybersecurity they want to legislate and which aspects they want to provide guidance on without necessarily imposing any legal penalties. One good option while developing national cybersecurity laws is to embrace the guidelines laid out by the Budapest Convention—an international treaty governing cyberlaws agreed upon by more than 60 countries.