The EU Experience in Global Cyber Capacity and Institution Building
In recognizing the intersection between cyber resilience and development, the EU has defined cyber capacity building in third countries as a strategic building block of its 2013 Cybersecurity Strategy. Based on lessons learnt from traditional development cooperation and its internal experience and best practice, the EU has tailored a cyber capacity building model that aims at increasing the cyber resilience of partner countries while integrating a multistakeholder and rights-based approach. The challenges are numerous, as are the needs, and require innovative, cross-sectoral and integrated cooperation.
Written by: Ms. Panagiota-Nayia Barmpaliou, Cybersecurity and Organised Crime Programme Manager at the Directorate General for International Cooperation and Development of the European Commission.
The intersection of cyber resilience and development
Two thirds of Internet users live in the developing world where access to the Internet is growing almost four times faster than in developed countries. Broad ICT strategies are rolled out especially by developing nations which seek to reap the digital dividends. The importance of ICT as an enabler for sustainable development and a means for governance accountability has been long recognized by the development community and further confirmed in the 2030 Agenda for Sustainable Development.
In recent years this process has been accompanied by increased awareness of the need to have a safe and secure underlying digital environment, or cyberspace. Threats posed by malicious cyber activities, such as cybercrime and attacks to digital services and infrastructure, or accidental failures, demonstrate that the economic and social benefits of ICT cannot materialize in a vacuum. Instead, the incorporation of cyber resilience aspects is a prerequisite for any such effort to be constructive and sustainable.
Anchored in its development cooperation commitments, the EU has recognized the need to foster open and prosperous societies through cyber capacity building measures in third countries that pursue a whole-of-government approach and enable citizens to fully enjoy the social, cultural and economic benefits of cyberspace. The EU started its programmatic approach by supporting justice sector reforms in the fight against cybercrime in the Western Balkans in 2010 and a year later also with Eastern European partners in joint programmes with the Council of Europe. Building on this experience, the EU commenced a comprehensive cyber-specific capacity building engagement at a global level following the adoption of its 2013 Cybersecurity Strategy.
The EU experience and approach
The EU has tailored a cyber capacity building model that integrates its internal experience with lessons learnt from traditional development cooperation. The EU approach is based on the EU Member States’ internal experience to enhance their cyber capabilities and best practice identified with the support of the European Cybercrime Centre (EC3) at Europol and the European Union Agency for Network and Information Security (ENISA). The EU’s support focuses on:
- Facilitating the development or reform of appropriate regulatory and legal frameworks in compliance with international standards and in a manner that fosters greater international cooperation. In this context, the EU is committed in promoting the Budapest Convention on Cybercrime as the international legal framework of reference in the fight against cybercrime;
- Enhancing the capacities of criminal justice authorities, such as law enforcement, prosecutors and judges, in order to enable them to effectively investigate, prosecute and adjudicate cases of cybercrime and other offences involving electronic evidence;
- Supporting the development of organizational, technical and cooperation mechanisms that increase cyber resilience and preparedness, such as: facilitating the development of national cybersecurity strategies, promoting effective inter-institutional, inter-agency and international cooperation as well as public-private exchanges and setting up functional national Computer Emergency Response Teams.
In order to pursue effective institutional and administrative cyber reforms and increased operational capacities of third countries, the EU draws on the overall aid effectiveness agenda and its experience in actions that are at the heart of the security-development nexus. The criteria used are: local ownership, transparency and accountability, result orientation, inclusive partnerships in the pursuit of sustainability and the application of an overarching rights-based approach.
Given the considerable disparities in the level and maturity of Internet, telecommunication, ICT infrastructure and criminal justice capabilities across countries, a tailored and demand-driven approach is necessary to address their divergent needs. Any engagement needs to be formulated around the three dimensions that form the tenet of any comprehensive cybersecurity conceptual framework: the adoption and implementation of a comprehensive set of policy, organizational, and technical measures that will increase their cybersecurity preparedness, following a multi-stakeholder and human rights compliant approach.
Challenges: scaling up and breaking silos
To date, the EU’s experience confirms several key challenges that are specific to the cyber sphere. Firstly, the cyber needs of developing countries especially with regards to institutional capacities (law enforcement, judiciary, incident response agencies) are so high that effective and consistent cooperation in capacity building is the x factor in coordinating limited resources and avoiding fragmentation. For this reason, the creation of the Global Forum on Cyber Expertise can play a pivotal role as a platform for deconflicting and synergizing amongst the plethora of actors that are ushered in the cyber capacity building universe.
This aspect cannot be overstated, as the available expertise for delivery of technical assistance does not meet the demand of developing countries, whilst even developed countries are often struggling. Thereby, the scaling up of cybersecurity capacity building programmes that require long-term expert commitment could be positively pursued through the promotion of a regional approach in triangular cooperation that can lead to the creation of hubs of local experts in different regions.
A second challenge touches upon the persistent silos amongst different cyber communities within a given country. While in the area of cybercrime the stakeholders are clear thanks to the distinct criminal justice context, within the broader cybersecurity ecosystem the policy, technical, business and civil society communities most often do not cooperate. In order to overcome the disconnect between these actors, the facilitation of functional multi-stakeholder and multi-dimensional engagement is fundamental.
Undoubtedly, these challenges also represent opportunities to drive the different communities to work together in innovative ways. Critical to this process will be the successful mainstreaming of cyber as a crosscutting issue across policies and practices both in developed and developing countries. We are not there yet.