News item | 07-12-2016
The rapid growth of the Internet population has contributed to the economy and provided new opportunities to many African countries. But the rising cyberspace has also created significant challenges by opening up new threats. The absence of adequate measures in many African countries makes them more prone to cyber-attacks. One of the key instruments for providing a response to cyber-attacks is to have an effective cybersecurity strategy which acts as a shield for a variety of attacks. This article describes the ground realities of developing and implementing the cybersecurity strategy in Mauritius and outlines the main ingredients of the strategy document.
Written by: Dr. Kaleem Ahmed Usmani and Mrs. Jennita Rao Appanah, Computer Emergency Response Team of Mauritius (CERT-MU), National Computer Board, Mauritius
The Internet and digital technologies are transforming African nations, in part by acting as drivers for economic growth and by providing new ways for communication and cooperation. While this change acts as a catalyst for boosting the countries’ efficiency and productivity, it also creates a number of challenges in maintaining users’ trust and confidence in the cyber environment. With the emergence of new threats to the online environment, the cybersecurity landscape has changed massively. In the face of increasing cyber threats and the sophisticated nature of cyber-attacks, African nations require a cohesive and comprehensive national cybersecurity strategy to be developed and implemented to respond effectively. This will help in creating a secure and reliable online environment, in which businesses and government services depend and could provide better cyber protection.
In this regard, the development and implementation of the Mauritian cybersecurity strategy and the main challenges that were encountered, will be reviewed. The Mauritian cybersecurity strategy was developed following a national survey conducted in October 2013 to assess the security posture of businesses in Mauritius. The aim of the strategy is to make the Mauritian cyberspace more secure and resilient, focusing on the following strategic guidelines:
- Securing the cyberspace and establishing a front line of defense against cybercrime;
- Enhancing resilience to cyber-attacks and be able to defend against the full spectrum of threats;
- Developing an efficient collaborative model between the authorities and the business community to advance national cybersecurity and cyber defense; and
- Improving the cyber expertise and the comprehensive cyber security awareness of the society at all levels.
Based on the above guidelines, the strategy describes an action plan that provides reasonable assurance of resilience and security to support national missions and economic stability. Twenty-eight (28) projects were identified and some of the key priorities include: (1) the protection of critical information infrastructures, (2) a clear governance framework, (3) the creation of public and private partnerships, (4) fight against cybercrime by developing law enforcement capability, (5) the improvement of the legal framework, and (6) international and regional cooperation on cybercrime. The emphasis was also laid down on the monitoring of the cyber territory for malicious traffic by setting up a cyber-threat monitoring system.
Development and Implementation of the Strategy
Strategy development and implementation is a daunting task and requires the coordination and support of all stakeholders. A few of the issues and challenges faced in bringing the strategy to life, which was developed and approved in 2014 are as follows:
- Legal basis for project(s)implementation
A legal basis is an important aspect for the implementation of the projects of the national cybersecurity strategy, and it should be kept in mind while undertaking the legal framework assessment exercise. The take up of amendment of legal provision(s) in the existing legislation or creating new ones at the time of project implementation could be a taxing affair and may derail the set targets. This could even lead to a failure of the project.
- Inter-institutional collaboration and assignment of stakeholdership roles
Ownership and the stakeholdership are the vital threads of the strategy development and require a concrete analysis to come up with an actionable plan involving public and private sector that could be realized. The exercise requires lengthy discussions and validation procedures before establishing roles and responsibilities of the institutions according to their mandate.
- Setting up the Public-Private Partnership (PPP) Framework
One of the core elements of a national cybersecurity strategy is the public-private partnership (PPP). The PPP framework consists of various stakeholders from the public and private sector. It involves a collaborative effort of all key players to safeguard the cyberspace from attacks. It establishes a common scope and objectives and uses defined roles and work methodology to achieve shared goals. However, the implementation of the PPP framework is challenging, as it requires a proper balance between roles and responsibilities to be defined for proper execution and setup.
- Budget Estimation for projects
Accurate budget estimation is key to the successful implementation of the strategy action plan, and requires the consideration of a number of factors, such as technology readiness, infrastructure, and skills availability. The steps associated with the budgeting process are highly dependent on both the estimated length of tasks and the resources assigned to the project. A number of constraints, including financial, political, and organisational, may dictate the methods by which resources, such as personnel, equipment, services and materials, are acquired. This should be carefully taken into account while calculating the budget.
- Accurate Assessment of Human Resource Requirements
For the proper implementation of the strategy, it is important to have the right people with the skills needed to execute the projects on time. In this process, it is important that the skill requirement exercise is undertaken through a proper survey and its findings are used to address the HR requirements.
On the closing note, it’s worth mentioning that the cybersecurity strategy development and its proper implementation not only provides a better cyber defense to the cyber territory of a country, but it can also lead to economic and social development. Countries embarking on the strategy development or in the stage of implementation could certainly look into these areas for effective development and implementation of their national cybersecurity strategies.
National cybersecurity strategy making is at a turning point. Many countries recognise the importance of cybersecurity and it has become a national priority. African nations too require national cybersecurity strategies that aim to drive economic and social prosperity and protect the countries’ cyber space against emerging threats. The establishment of a national cybersecurity strategy will help them in creating a better cyber protection. However, there are many challenges associated with the strategy development and implementation and to address these concerns, the Mauritian experience could be helpful to be looked into.
This article first appeared in the second issue of the Global Cyber Expertise Magazine – November 2016.