Report on the “Cyber Capacity Assessments” Session
Report | GFCE V-Meeting “Cyber Capacity Assessments” | 28 April 2020
This open GFCE V-Meeting session was organized in collaboration with Oxford’s Global Cyber Security Capacity Centre (GCSCC) and is related to the work of the Strategy and Assessments Task Force under Working Group A on Strategy and Policy. This is the first time the GFCE had organized a session on the different assessment tools that exist, with 6 expert speakers sharing knowledge and expertise on the various tools. There was also some time carved out for speakers to address participants’ questions at the end of the session.
The aim of the “Cyber Capacity Assessments” session was to raise awareness on different assessment tools and underline the utility of assessment tools in informing cyber capacity building efforts. During the session, six expert speakers presented different assessment tools, covering aspects of the respective tool such as the development, methodology and deployment. There was also an opportunity for Q&A at the end of the session with the outcome of the session feeding into the work of the Strategy and Assessments Task Force under Working Group A on Strategy and Policy. After a short introduction by the Chair of the session Ms. Carolin Weisser Harris (GCSCC / Strategy and Assessments Task Force co-Lead), the speakers were invited to take the floor.
The first speaker was Prof. Michael Goldsmith (GCSCC), presenting the Cybersecurity Capacity Maturity Model for Nations (CMM) on behalf of the constellation of Regional Cybersecurity Capacity Research Centres (including Oceania Cyber Security Centre (OCSC) and Cybersecurity Capacity Centre for Southern Africa (C3SA)). Prof. Goldsmith’s presentation was focused on the structure and deployment of the CMM methodology, first explaining the 5 dimensions of the model and the 5 stages of maturity within each dimension. The model is suitable for self-assessment of current capacity and is deployed through in-country focus-group discussions with key stakeholders from multiple sectors (e.g. government, CERTs, civil society, etc.); usually over 10 sessions in 3 days by partners who have undergone extensive training on the methodology. Prof. Goldsmith concluded by highlighting the value of the CMM (e.g. enhanced awareness, increased funding for cyber capacity building, defining roles within government, etc.) and that the model has been deployed in over 80 countries.
Mr. Radu Serrano (Estonia’s e-Governance Academy) then gave a live demonstration of the eGA’s online National Cyber Security Index (NCSI) tool. The index is developed to measure countries’ ability to respond to cyber threats and mitigate cyber incidents through 46 indicators looking at e-governance, e-democracy and national cyber security. There are currently 160 countries on the index with features that allow you to compare different countries and compare the NCSI’s rating compared to other assessment tools. Mr. Serrano explained that the latter feature is useful to determine whether a country’s ICT development and e-governance is on the same level as their cyber security development.
Mr. Marwan Ben Rached (ITU) gave the third presentation, explaining ITU’s Global Cybersecurity Index (GCI) which monitors and compares countries’ cybersecurity commitments by examining 5 pillars: legal, technical organizational, capacity building and cooperation. The first version was published in 2014, with iterations in 2017 and 2018, and a 4th version planned for 2020. The GCI utilizes other existing assessment tools such as the CMM and Potomac Institute’s Cyber Readiness Index it its open source data collection and the methodology is a four-step process comprising of development, weightage, calculation and review. To conclude, Mr. Rached underlined that the impact of the GCI is profound, not only as tool that enhances awareness and shares best practices, but also a tool that helps identify gaps or areas for improvement.
The assessment phase of MITRE’s National Cyber Strategy Development & Implementation (NCSDI) Framework was presented by Ms. Cynthia Wright (MITRE), pointing out that this tool is not publicly available as it is used by the US State Department for countries they want to engage with. During the assessment phase, the team spends a day determining the country’s current capacity across 8 strategic areas in the context of national cyber-related opportunities and risks/threats through preparatory questions, stakeholder surveys and table-top exercises. The framework is not intended to be maturity model or index, but instead looks at a country’s aspirations compared to where they are at presently. Ms. Wright explains that this is because not every country has the same priorities and wants to be at the most mature level for each area. To close, Ms. Wright discussed some points of comparison between the framework and the CMM and highlights MITRE’s Cyber Workforce Development Framework coming soon.
Ms. Melissa Hathaway (Potomac Institute for Policy Studies) delivered a presentation on Potomac’s Cyber Readiness Index 2.0 (CRI) which evaluates and measures a country’s maturity and commitment to securing their national cyber infrastructure and services. Ms. Hathaway underlined the need to address digital risks before describing the CRI 2.0 methodology, which encompasses over 70 unique data indicators over 7 essential elements. She explained that the essential elements are assessed according to four categories (statement, organization, resources and implementation) and further elaborated on the 7 elements and what they look for. The CRI 2.0 methodology is available online in English, Russian, Arabic, Chinese, French and Spanish.
The sixth and final speaker was Mr. David Satola (World Bank), who presented the online Assessment Tool that is part of the World Bank’s Combatting Cybercrime tool. The Assessment Tool enables countries to determine gaps in capacity to combat cybercrime and identify priority areas to direct capacity-building resources. Mr. Satola explained that the Assessment Tool assesses capacity readiness using around 115 indicators and is organized according to the Combatting Cybercrime tool’s 9 dimensions. He also illustrated examples of indicators with a spider-web graph by looking at 2 of the dimensions – legal frameworks and non-legal frameworks. The Combatting Cybercrime tool is currently in the 2nd phase of funding.
At the end of the session, the speakers responded to questions that touched on topics such as the funding of the assessment tools, including an awareness component in the metrics, methodology and data collection.
The session received a lot of positive feedback for providing insight on many different assessment tools and the conversation will be taken forward in the Strategy and Assessments Task Force. If you are interested to learn more or to join the Task Force, please get in touch with the GFCE Secretariat at firstname.lastname@example.org.
The presentation slides can be found on Cybil using the links below:
- CMM, Michael Goldsmith (GCSCC): https://cybilportal.org/tools/cyber-security-capability-maturity-model-cmm-v1-2/
- GCI, Marwan Ben Rached (ITU): https://cybilportal.org/tools/itu-global-cybersecurity-index-gci-v4/
- NCSDI Framework, Cynthia Wright (MITRE): https://cybilportal.org/tools/national-cyber-strategy-development-implementation-framework/
- CRI, Melissa Hathaway (Potomac Institute): https://cybilportal.org/tools/cyber-readiness-index-2-0/
- Combatting Cybercrime Tool, David Satola (World Bank): https://cybilportal.org/tools/combatting-cybercrime-tools-and-capacity-building-for-emerging-economies/