The GFCE Foundation and the U.S. Department of State have announced a new partnership, leveraging U.S. funding, to increase international and regional coordination on cyber capacity building projects that aim to mobilize additional resources and expertise to build global cyber capacities. The partnership will focus on providing platforms for cyber policymakers, practitioners and experts from different countries and regions to facilitate sharing of experiences, expertise, cyber capacity building (CCB) best practices and assessments on key regional and thematic cyber issues.

The support from the U.S. Department of State comes at a pivotal point for the GFCE, as in 2021, we have increased our regional focus on coordination and cyber capacity efforts.  The Partnership has three focus areas: (1) Collaboration and coordination within and across GFCE regional projects; (2) Development and dissemination of CCB best practices, tools and information that streamline partner nation requests for assistance and influence donor investments; and (3) Increased public awareness and political support for CCB projects.

Michele Markoff, Acting Coordinator for Cyber Issues at the U.S. Department of State, noted, “As Secretary Blinken has said, ‘Cyber capacity building efforts will enhance global security and stability in cyberspace, and the State Department is committed to driving this agenda forward.’ The GFCE plays a key role in these efforts, and we are delighted to provide support to expand its work at the regional level to help ensure that all countries can protect their own critical digital networks.”

Chris Painter, President of the GFCE Foundation Board, noted that “The GFCE is excited for U.S. support of our global and regional cyber capacity building efforts. This partnership will allow for increased collaboration and coordination of cyber capacity building on a regional level and will increase the awareness and usage of the available tools and resources in the field.”

The fast-evolving integration of cyberspace into the daily lives of the people in the region and countries’ critical infrastructure offers numerous social and economic opportunities. It also poses significant challenges, particularly for countries with nascent digital economies.  Latin America and the Caribbean are experiencing an internet boom, with a growth of 1,808.4 percent in the last decade alone (source: Internet World Stats). Yet 45% of the region’s population is not yet online and significant investments in broadband and infrastructure will be required for the region and its population to more fully reap the benefits of the digital economy. It is estimated that a 10% increase in broadband penetration in the region could boost GDP by an average 3.2% and increase productivity by 2.6% (source: IDB).

Written by: Alfred Schandlbauer, Executive Secretary, Inter-American Committee against Terrorism, Organization of American States

Risks to data integrity, availability and confidentiality

Based on a survey on cybersecurity and critical infrastructure conducted by the Organization of American States (OAS) and the cybersecurity company Trend Micro in 2015, 53 percent of respondents noticed an increasing tempo of attacks on their computer systems, and 76 percent stated that cyberattacks were getting more sophisticated. The risk to data integrity, availability and confidentiality could negatively affect the productivity and economic growth of a region that is still struggling to propel itself into the digital age.  A digital economy can only flourish in an open, stable and secure environment trusted by its users; hence, it is critical that ICT investments are matched with similar investments in cybersecurity. The latter requires a comprehensive approach, ranging from technological investments to policies aimed at fostering a culture of digital safety.

Bearing this in mind, the OAS, in collaboration with the Inter-American Development Bank (IDB), recently published a comprehensive report on the state of cybersecurity preparedness in the 32 countries of Latin America and the Caribbean entitled: 2016 Cybersecurity: Are We Ready in Latin America and the Caribbean?

Cyber readiness across five dimensions

The report provides an in-depth assessment of the cybersecurity capabilities of the countries of the Western Hemisphere, based on the Capability Maturity Model (CMM) developed by the Global Cyber Security Capacity Centre (GCSCC) at the University of Oxford.  That model, employed for the first time in the world in this study on Latin America and the Caribbean (LAC), provides analysis based on five dimensions: (i) National Cybersecurity Policy and Strategy; (ii) Cyber Culture and Society; (iii) Cybersecurity Education, Training and Skills; (iv) Legal and Regulatory Frameworks; and (v) Standards, Organizations and Technologies.  Each dimension encompasses a number of indicators, which are graded according to five “maturity” levels, from an initial stage of maturity –in which a country may have just started discussing cybersecurity matters– to a stage in which a country is able to rapidly adapt to changes in the cybersecurity landscape.

By indicating the level of cybersecurity maturity in these different dimensions, our study highlights current advances in the 32 LAC countries, as well as insights with respect to prioritizing cybersecurity investments, providing national stakeholders with a complete understanding of their country’s cybersecurity situation.

The report concluded that of the countries in the region, Argentina, Brazil, Chile, Colombia, Mexico and Uruguay have relatively more developed cyber regimes. However, despite having fewer resources to direct at the issue, the Caribbean and Central American countries are as advanced in their legal frameworks.  Overall, Latin American and Caribbean countries have made significant efforts in updating domestic legislation to combat cybercrime.  Despite these advances, though, procedural cybercrime legislation requires reform to allow for the adequate prosecution of cybercrimes.  Likewise, privacy and data protection frameworks could be improved and benefit from the participation of civil society actors in this discussion.

Similarly, Brazil, Colombia, Mexico and Uruguay perform strongly in the areas of developing a cyber culture and educating their populations about its importance.  Other countries in the region could benefit from greater investment in those areas. To that end, governments, the private sector, and civil society should work together to increase national awareness of cyber risks and the potential impact of cyberattacks. Public-private partnerships must be formed and utilized to gain better understandings of each country’s urgent needs in the marketplace as it relates to cybersecurity. An early introduction of computer science and information security courses at all levels of the education system throughout the hemisphere would better prepare the next generation workforce.

A need for national cybersecurity strategies

The two least developed of the dimensions examined by the survey for the entire LAC region were “Policy and Strategy” and “Technologies,” With the latter dimension being essential to ensure the resilience of national critical infrastructure against cyberattacks.  To strengthen that dimension, many countries would benefit from inventories of their essential services, critical assets and critical information infrastructure in terms of cybersecurity for the purposes of conducting risk assessment and implementation of mitigation measures.  Many countries in the region, particularly in the Caribbean, have yet to create and implement national Cyber Security Incident Response Teams (CSIRTs), which are essential to coordinate incident response at the national level and to serve as points of contact for international incidents.

Finally, slow implementation and development of well-coordinated critical cybersecurity policies in the region significantly affects maturity levels in the “Policy and Strategy” dimension.  In many cases this is attributable an unclear governance structure to address cybersecurity at the national level.  A clear coordination structure for cybersecurity is one of the first steps a country must take to move further up the cybersecurity ladder by also improving progress in the other four dimensions; as such a structure would clarify lines of action and the roles that must be played by the different stakeholders to strengthen national cybersecurity.

We believe reports of this nature are important to provide a comprehensive understanding of not only the challenges and gaps in cybersecurity, but also the opportunities and strengths that each country can explore to continue to improve its cyber capacities.  In particular, it is our view that this report contributes to the cybersecurity literature by providing a more complete perspective of the LAC region. Given the dynamic nature of cybersecurity, the reapplication of the model utilized in our report on a periodical basis is critical to verify the region’s improvements and assess what still needs to be done.

There is always a dichotomy as to what should be included in a National Cybersecurity Strategy (NCSS) with the discussion often hinging on whether it should be called a Policy or a Strategy. Globally there are over 70 national cybersecurity strategies (NCSS) publicly available; in Latin America a total of 4 have been approved and 6 are in various stages of development. These strategies have been called various names such as National Strategy for Cyber and Information Security (Denmark) or Programme for the Development of Electronic Information Security (Cyber Security) for 2011-2019 (2011(Lithuania)).Some countries have taken another approach and have also included cybersecurity components in their national security strategies such as Russia (2013) and Denmark (Denmark Defense Agreement 2013-2017).

Written by: Kerry-Ann Barrett and Barbara Marchiori; they are part of the Cybersecurity Program at the Secretariat of the Inter-American Committee against Terrorism (CICTE) of the Organization of American States (OAS). In their capacities, they assist OAS member states in the conceptualization and development of National Cybersecurity Strategies.

Key ingredients of a National Cybersecurity Strategy

In terms of what should be included in an NCSS, several common themes have been covered globally, such as:

• Governance Frameworks (e.g., national coordination)
• Legal Frameworks (e.g., Cybercrime legislation and publication of technical standards)
• Public Awareness Raising (e.g., national or sector specific campaigns)
• Technical Capability/ Capacity-building (e.g., establishment of a national CSIRT, critical infrastructure protection, and academic programs)
• Public-Private Partnerships and International Cooperation (e.g., information sharing arrangements)
• Defense and Cybersecurity (e.g., establishment of a national command cyber defense center)

Many countries have also recognized the need to separate the roles for strategy development and operational response. For example, in Australia, there is the Cyber Security Policy and Coordination Committee, which is an interdepartmental committee that coordinates the development of cybersecurity policy for the Government; determines priorities and is responsible for international collaboration, while on the technical side there is both a. CERT Australia which is the national coordination point for the Australian Government for provision of cyber security information and advice and  b. the Cyber Security Operations Centre (CSOC).  Using Colombia as an example for the LAC region, policy is determined by the National Council of Economic and Social Policy, which usually approves what is known as the ‘CONPES’ (i.e. a high-level policy document that provides guidelines on socio-economic strategic issues for the country), while the Colombian Cyber Emergency Response Team (ColCERT) is a response mechanism for organization-specific cyber incidents.

Action and implementation

The approach of the Organization of American States (OAS) General Secretariat has been to prevail upon our member states to recognize that once a high level policy directive is given regarding cyber security, there must be an associated strategic plan of action to achieve that directive and its goals. The process for its development should always involve all relevant stakeholders (government, private sector, civil society, academia, et al.) and culminate in a document that is clear in its scope, addresses specific national threats, and articulates clear goals, objectives, as well as the steps needed to achieve those goals in light of identified priorities and indicators to measure progress. In relation to its implementation, once approved, the associated costs and available resources must be identified and included in the budgets of implementing agencies or entities.

The development process for NCSS in the LAC region has shown promising prospects, as each country has recognized the need to have a structured and coordinated approach to developing their NCSS. When requesting the support of the OAS General Secretariat to develop a NCSS, each member state is asked to establish a national multi-stakeholder working group to be part of the development of the strategy and to open a roundtable dialogue on the specific cybersecurity challenges facing their country. This open dialogue facilitates feedback as well during the drafting stages of the document.

The challenges of ownership and sustainability

The experience in LAC, however, has not been without challenges. There are so many factors external to the development process that affects its success. The identification of an owner/owners for the development and implementation of the NCSS, change in the national priorities as a result of unforeseen events such as a national disaster or change in Government, competing agencies vying for leadership, economic constraints, failure to obtain executive buy-in, among others. On the other hand, we have seen some uncommon and unprecedented approaches that have augured well for sustainability. For example, in one member state, the draft NCSS was shared with opposition parties before approval and their input and comments were taken into account, which aided in the document being approved seamlessly. In another, the directive to review the cybersecurity situation was given from the level of the Presidency. This ensured coordination of the process with all stakeholders, timelines being met and, ultimately, development and approval within a year of the process beginning.

In this context, it is still undeniable that NCSS are critical documents for coordinating national efforts to combat a threat that has international impact. The NCSS can only be successful if identified as an area of priority at the national level with a dedicated and well-resourced champion. This is particularly challenging in the LAC region, where countries are still struggling to achieve economic stability and increase Internet penetration.  When countries are faced with pressing social and economic issues, it is only natural that an investment in cybersecurity risk reduction is placed on the backburner. Investment in the Internet contributes to economic growth and social development and if the Internet is to reach its full potential in this regard, it must be secured.  Therefore it is imperative that cybersecurity be considered at the onset.

In 2021, the Organization of American States (OAS) became the first GFCE Regional Hub in the area, to better connect and enhance collaboration between regional stakeholders and the GFCE Community. The first GFCE-OAS LAC Cyber Capacity Building was held in March 2021 with an aim to introduce the LAC community stakeholders to the GFCE. Following that successful event, the GFCE-OAS Hub hosted a second regional event, the “Implementers and Donors Forum” with the purpose of bringing together donors and implementers involved in CCB in the LAC region to discuss coordination and find areas for collaboration and cooperation among regional actors.

It is in the context of regional cooperation, that the Secretariat of the GFCE, the Secretariat of the Inter-American Committee Against Terrorism (CICTE) which is the GFCE Regional Americas Hub and the Latin American and Caribbean Cyber Competence Center (LAC4EU), EU CyberNet Project organized the GFCE 2nd Regional Meeting in the Americas.

For this second regional meeting, the GFCE  hub for the Americas and the Caribbean region had the opportunity to gather 32 participants from 15 Member states. This meeting was held with the intention of discussing the role of the GFCE in Latin America and the Caribbean and how best to coordinate capacity-building efforts in the region and coordinate regional efforts more effectively. Additionally, the meeting served as an opportunity to introduce the progress of the GFCE LAC Hub, to discuss with participants the priorities for the future, and to introduce the GFCE and possibilities for involvement to key regional actors.

Additionally, the meeting set a starting point to continue the discussion around the different inputs on what could be the main angle of this region’s agenda for cyber capacity building. The region’s needs, workforce development and gender were among the issues standing out in the open discussion.

An additional outcome of the meeting was the opportunity to connect various dots in existing gaps in CCB, providing updates on various projects and providing a platform for exchange not only among the countries but also among stakeholders as the meeting had a good mix of government representatives as well as the tech community in particular. As an example, some projects presented were the CSIRT best practices project by the OAS.

Some of the main results included the opportunity to present the various CCB projects and implementers in the region and also to share global good practices that exist and that are being implemented in the region. This activity facilitated information sharing and provided an environment to promote greater coordination, collaboration, and networking opportunities among all cybersecurity stakeholders that were present during the event. Specifically, as it relates to the Caribbean region, we were able to open the dialogue on their various challenges and needs related to their cybersecurity issues.

The next step will be to draft the regional agenda and start a process around approving that, ideally with a buy-in from stakeholders across the region. This should feed into the global agenda on capacity building.

The GFCE Regional Hub for the Americas and the Caribbean held their 2023 Regional Meeting as a satellite event to RightsCon on the 5th June, 2023. The Hub provides practical guidance, expertise, and support to cyber communities, including regional organizations, private sector entities, institutions, and governments. It also facilitates access to the GFCE’s global network for countries seeking support.  

The objective of this year’s Regional Meeting in the Americas was to discuss the role of the GFCE in Latin America and the Caribbean and how to best coordinate capacity building efforts in the region. It provided an opportunity for participants from the region to connect and engage in conversations about existing gaps in cyber capacity building, share good practices, and prioritize their needs for the future. Specific attention was given to gender aspects and cyber workforce development in the region. 

The meeting report is also available in Spanish.