A Latin America and Caribbean’s View on National Cybersecurity Strategies

There is always a dichotomy as to what should be included in a National Cybersecurity Strategy (NCSS) with the discussion often hinging on whether it should be called a Policy or a Strategy. Globally there are over 70 national cybersecurity strategies (NCSS) publicly available; in Latin America a total of 4 have been approved and 6 are in various stages of development. These strategies have been called various names such as National Strategy for Cyber and Information Security (Denmark) or Programme for the Development of Electronic Information Security (Cyber Security) for 2011-2019 (2011(Lithuania)).Some countries have taken another approach and have also included cybersecurity components in their national security strategies such as Russia (2013) and Denmark (Denmark Defense Agreement 2013-2017).

Written by: Kerry-Ann Barrett and Barbara Marchiori; they are part of the Cybersecurity Program at the Secretariat of the Inter-American Committee against Terrorism (CICTE) of the Organization of American States (OAS). In their capacities, they assist OAS member states in the conceptualization and development of National Cybersecurity Strategies.

Key ingredients of a National Cybersecurity Strategy

In terms of what should be included in an NCSS, several common themes have been covered globally, such as:

• Governance Frameworks (e.g., national coordination)
• Legal Frameworks (e.g., Cybercrime legislation and publication of technical standards)
• Public Awareness Raising (e.g., national or sector specific campaigns)
• Technical Capability/ Capacity-building (e.g., establishment of a national CSIRT, critical infrastructure protection, and academic programs)
• Public-Private Partnerships and International Cooperation (e.g., information sharing arrangements)
• Defense and Cybersecurity (e.g., establishment of a national command cyber defense center)

Many countries have also recognized the need to separate the roles for strategy development and operational response. For example, in Australia, there is the Cyber Security Policy and Coordination Committee, which is an interdepartmental committee that coordinates the development of cybersecurity policy for the Government; determines priorities and is responsible for international collaboration, while on the technical side there is both a. CERT Australia which is the national coordination point for the Australian Government for provision of cyber security information and advice and  b. the Cyber Security Operations Centre (CSOC).  Using Colombia as an example for the LAC region, policy is determined by the National Council of Economic and Social Policy, which usually approves what is known as the ‘CONPES’ (i.e. a high-level policy document that provides guidelines on socio-economic strategic issues for the country), while the Colombian Cyber Emergency Response Team (ColCERT) is a response mechanism for organization-specific cyber incidents.

Action and implementation

The approach of the Organization of American States (OAS) General Secretariat has been to prevail upon our member states to recognize that once a high level policy directive is given regarding cyber security, there must be an associated strategic plan of action to achieve that directive and its goals. The process for its development should always involve all relevant stakeholders (government, private sector, civil society, academia, et al.) and culminate in a document that is clear in its scope, addresses specific national threats, and articulates clear goals, objectives, as well as the steps needed to achieve those goals in light of identified priorities and indicators to measure progress. In relation to its implementation, once approved, the associated costs and available resources must be identified and included in the budgets of implementing agencies or entities.

The development process for NCSS in the LAC region has shown promising prospects, as each country has recognized the need to have a structured and coordinated approach to developing their NCSS. When requesting the support of the OAS General Secretariat to develop a NCSS, each member state is asked to establish a national multi-stakeholder working group to be part of the development of the strategy and to open a roundtable dialogue on the specific cybersecurity challenges facing their country. This open dialogue facilitates feedback as well during the drafting stages of the document.

The challenges of ownership and sustainability

The experience in LAC, however, has not been without challenges. There are so many factors external to the development process that affects its success. The identification of an owner/owners for the development and implementation of the NCSS, change in the national priorities as a result of unforeseen events such as a national disaster or change in Government, competing agencies vying for leadership, economic constraints, failure to obtain executive buy-in, among others. On the other hand, we have seen some uncommon and unprecedented approaches that have augured well for sustainability. For example, in one member state, the draft NCSS was shared with opposition parties before approval and their input and comments were taken into account, which aided in the document being approved seamlessly. In another, the directive to review the cybersecurity situation was given from the level of the Presidency. This ensured coordination of the process with all stakeholders, timelines being met and, ultimately, development and approval within a year of the process beginning.

In this context, it is still undeniable that NCSS are critical documents for coordinating national efforts to combat a threat that has international impact. The NCSS can only be successful if identified as an area of priority at the national level with a dedicated and well-resourced champion. This is particularly challenging in the LAC region, where countries are still struggling to achieve economic stability and increase Internet penetration.  When countries are faced with pressing social and economic issues, it is only natural that an investment in cybersecurity risk reduction is placed on the backburner. Investment in the Internet contributes to economic growth and social development and if the Internet is to reach its full potential in this regard, it must be secured.  Therefore it is imperative that cybersecurity be considered at the onset.