Report on the “Lessons learnt on CCB Implementation” Session
Report | GFCE V-Meeting “Lessons learnt on CCB Implemetation” | 22 May 2020
This session brought together implementers and beneficiary countries from different regions to share and discuss their experiences and lessons learned from the implementation of their Cyber Capacity Building projects. The session was moderated by Mr. Bertram Boie, Senior Economist at the Digital Development Global Practice of The World Bank.
The first speaker was Mr. Duncan Macintosh, CEO & Executive Director of the Asia-Pacific Network Information Center (APNIC) Foundation, which aims to increase investment in Internet development in APAC region. APNIC Foundation takes a very active approach to cyber capacity building and engagement with around 250 missions completed or ongoing in 35 economies. Specific cyber capacity building activities of APNIC include workshops, Network Operator Group events, as well as engagements for security, development and CSIRTS. The impact of the pandemic in 2020 has meant that APNIC Foundation has relied on translating their activities to remote alternatives, with the focus on providing technical training in relation to Internet development. Networking from Home is a good example of this and represents a new virtual event initiative to provide network engineers and technical folk in the Asia Pacific space to share their experience and expertise with their peers. Duncan also shared some lessons learned from APNIC Foundation on projects related to CERT development, highlighting the importance of community consultation and coordination, as well as the benefits of using open source & vendor neutral tools that support learning and decision making in CCB projects. In addition, APNIC Foundation runs a grants program called ISIF Asia, providing 12 years of experience that includes lessons such as the importance of understanding for funding technical innovation, making training and impact sustainable and involving technical teams in policy framework development.
The Organization of American States was represented by Mr. Belisario Contreras, Manager Cybersecurity Program and Mrs. Kerry-Ann Barrett, Cybersecurity Policy Specialist. Mrs. Barrett spoke on the general focus of the OAS Cybersecurity Capacity Program on trying to help Member States understand the likelihood and impact of threats from cyberspace. The cybersecurity program of OAS was created in 2012 to respond to the mandates received by the Member States in the area of capacity building. OAS recognizes that responses need to be holistic – issues of capacity in responding to such threats are not limited to just technical solutions but should encompass a whole-of-nation approach, where end-users, first responders and decision makers are all involved in policy. Specific examples of CCB activities include the regional symposium that has been conducted for the past five years, which focuses on the promotion and exchange of experiences and good practices. The symposium also addresses the need for OAS trainings to be more specified in their delivery, with experts sharing insights on specific topics. Another example is the partnership of OAS with Trend Micro, focusing on building capacities of women in the region and helping women in the cybersecurity industry improve their practical skills in combination with training. These ongoing projects highlight that cyber capacity building is not one-stop-shop, but an iterative process that requires continuously building on what has been learnt.
Mr. Contreras continued the discussion by touching on some specific activities of OAS in the field of capacity building, including the development of a toolkit for updating cyber security strategies and arranging remote online events. In a recent presentation, the OAS Secretariat proposed three points for CCB in the future: firstly, countries should remain agile in adapting national cyber security strategies and assessing legal and regulatory frameworks on cyberspace. Governments can’t act alone, and the participation in decision making of the technical community and private sector is essential for resilience. The harmonization of legislation between countries should also be a priority – in this regard, Mr. Contreras confirmed that the Budapest Convention is the most global and inclusive convention in the fight against cybercrime and the OAS will continue to promote the adoption of this instrument by its Member States. The second aspect related to increasing international cooperation as there is a huge need to increase trust at all levels and across industries. Lastly governments and privacy institutions should combine efforts and work towards unified awareness raising campaigns. Through this process of adjusting, increasing and unifying there will be opportunities; OAS considered that the trust fund on cyber issues of the World Bank needs to be adjusted to the new realities. OAS has been working with several multilateral and international agencies and it is their belief that access to this trust fund needs to be revised, in particular looking at how regional organizations, the technical community and other key actors can gain access to this fund and how they can be more innovative in implementing policies that are aimed at transformation for end users.
Mr. Casey Torgusson, Senior Digital Development Specialist at the Digital Development Global Practice of The World Bank, then gave an overview of the Caribbean Digital Transformation Program. This is a regional investment project that is provided to the governments of St. Lucia, St. Vincent, Dominica and Grenada. Broadly, the project concerns development of the digital economy across the region, looking at the foundations for digital economy at the national level but also at opportunities for cross-country collaboration. There is strong recognition for cross-country collaboration especially given that issues of cyber security do not always have priority for countries with smaller populations who need to balance these with considerations for other economic issues.
The project looks at the digital enabling environment for the region, addressing issues of telecom sector policy and regulation as well as promotion of access to broadband whilst attention is also placed on access to digital risk mitigation, looking at cyber security and data protection policy and practices. In addition, the project focuses on digital financial services, including efforts for trying to unlock more innovation and access to innovative products. Furthermore, there are components on digital government infrastructure platforms and services, with the aim of modernizing public service but also improving service delivery – this also focuses on attaining interoperability of services across borders. Finally, the project looks at digital skills and technology adoption, trying to create a skills-to-jobs pipeline and tackle some of the unemployment issues in the region.
Within the cybersecurity components, there are both regional level and national level interventions. The World Bank works with local partners to develop a CERT model for each country that wants to implement such an agency, developing a framework that accounts for close international collaboration & regional similarities. There will also be resources for legislative and policy review, as well as a public awareness campaign.
One question from participants asked what the baseline was for identifying best practices & whether a research component will be included in order to identify what works in practice, particularly with respect to the awareness campaigns. Identifying best practices is the first activity financed under the program and a study is commissioned to define what model is the best fit for the region, which is a complex and unique context in terms of threats emanating from cybersecurity, so there is also a growing awareness of the need for this kind of support but no real knowledge on where to begin. Limited financial resources are currently available, so there is a desire to come up with a model that makes sense in terms of sharing lessons learned and cooperation between countries on implementation.
Ms. Ida Mboob, Digital Development Specialist also of the Digital Development Global Practice, then gave an overview of the World Bank Cyber Security Program in Africa region. Firstly, Ms. Mboob noted an increased demand for remote provision of services in the current context of the pandemic which is providing a direct challenge to the activities of the World Bank and other organizations. One of the priorities of the Cyber Security Program is to support regional integration and promote cooperation between countries on specific issues. Smaller countries tend to have both capacity and resource issues, so for organizations working on regional issues and policy it helps to try to assess how to conduct activities in an efficient way and make sure that the capacity being developed can be applied cumulatively. The program focuses on providing capacity at the analytical level whilst also providing for technical and security trainings. At the analytical level, what World Bank finds is that many countries have developed cyber security strategies and policy but never conducted a formal assessment of what their levels of maturity are. This provides several challenges for implementation and legislative development, as the generic nature of these strategy documents do not align with specific needs and context.
In terms of lessons learned, Ms. Mboob mentioned that convening power is essential for developing policy on cyber security because it is a country issue with cultural implications. If you are unable to bring all stakeholders into the discussion, there will always be a gap between the policy and implementation in real time. The leadership aspect is also essential, which involves asking the target actors to take the lead on designing and driving the project forward. Mention was also made of identification of an authority as important for allowing more stakeholders to take accountability and responsibility for certain aspects of the project. These lessons have all been evident in the increase in the number of requests from countries to have access to more information on how they can receive support in this area, as well as in the awareness on the issues and the implications this has for the inclusion of cybersecurity development projects at the national level. In addition, it is also important to continue to think about the links between data protection, cybersecurity, privacy and ICT security priorities – more support for regional integration on this aspect should be explored alongside ways of incentivizing the inclusion of these types of projects as a priority by target countries, in particular given the benefits of merging resources and capacity such as reduction of the costs of increasing security measures and maintaining protection.
The last speaker was Ms. Chinenye Chizea of the National Identity Management Commission (NIMC) Nigeria. Ms. Chizea shared some of the experiences of Nigeria as a beneficiary country of the World Bank Cybersecurity Program, giving some background context in which it was made evident that the ICT sector in Nigeria increasingly contributes to national GDP whilst Internet penetration in local economies has grown substantially in terms of numbers of active users. Having attended several events, Nigeria highly valued the exposure to other stakeholders and felt that these interactions presented opportunities to discuss specific issues and challenges whilst learning about applications and solutions to address these needs. For Nigeria, lessons learned have always been centered around identifying those best practices that can work for their environment; one example is the implementation of the national identification program & developing the system for scaling up the enrolment process. Through this process, Nigeria has had to identify and develop an ecosystem which requires taking ownership, engaging with stakeholders and key to this is the cyber component, including principles of security and privacy by design. Knowing that there is a community out there to help implement and develop best practices has been of immense value in this process.
In conclusion, it has become clear that it will be important to be systematic and strategic in identifying needs for cyber capacity building globally whilst there will also need to be increased coordination of different perspectives in order to achieve more than what can be achieved from narrow cooperation. It will also be important to coordinate and develop knowledge jointly and continuously assess the standards and benchmarks, and whether these are the same for all countries or context dependent.