The National Cyber Power Index: Does your country have a cybersecurity strategy?

Earlier this year, Harvard’s Belfer Center published its National Cyber Power Index (NCPI), which ranks 30 countries according to their digital capabilities. Central to the rankings is the ability of a nation to both defend itself from cyberattacks and also to wage cyber warfare itself.

"Cyber Power is made up of multiple components and should be considered in the context of a country’s national objectives," the authors explain. "Within the NCPI we measure government strategies, capabilities for defense and offense, resource allocation, the private sector, workforce, and innovation. Our assessment is both a measurement of proven power and potential, where the final score assumes that the government of that country can wield these capabilities effectively."

The report illustrates the increasingly strategic role cybersecurity is playing in the fate of nations, whether via things such as election interference or the theft of COVID vaccine research. This is especially so when the power for disruption lay not only with state actors but also with an increasingly potent number of non-state forces who have the means and the motivation to cause havoc.

National cybersecurity strategies

Given this state of affairs, it’s perhaps not surprising that over 100 governments are believed to have developed national cybersecurity defense strategies to combat the visceral threat cyberattacks pose to national infrastructure, businesses, and citizens themselves. Among these varied and disparate strategies, five common features stand out.

1. A dedicated agency for cybersecurity

To achieve robust and reliable cybersecurity protection at a national level, it’s vital that a single agency has overall responsibility for plans and defenses. Such an agency can drive the cybersecurity agenda for the country and is likely to oversee a portfolio of initiatives to protect key infrastructure, respond to attacks swiftly, and define cybersecurity standards. Obviously for such an agency to be effective will require the appropriate skills to be available, either in-house or via partnerships with external agencies across both government and the private sector.

2. A program to protect critical infrastructure

Inevitable limits to resources will mean that any national cybersecurity agency will have to focus their efforts in particular areas. By far the most important of these areas is critical infrastructure, which remains the most attractive target for hostile state actors. Disruption to this infrastructure can have a crippling impact on society, the economy, and overall national security. Critical infrastructure typically encompasses a mixture of operational technology and information technology, which adds to the complexity of protecting it successfully. The best are able to prioritize critical sectors and assets; a robust governance mechanism; and cybersecurity standards for the protection of critical assets that are globally recognized.

3. A clearly defined incident response and recovery plan

Among the cybersecurity community, the prevailing mindset is that it’s not if cyberattacks will happen, but when. It’s only when you accept that cyberattacks are inevitable that you can start to adequately plan for robust defense from and responses to attacks. It’s no different at a national level, and so governments should develop an incident response and recovery plan to both limit the effect of attacks and speed up the recovery. The best of these plans typically have a number of common features, including active monitoring of the threat landscape; a clear pathway for businesses and citizens to report threats and attacks; proactive measures to combat threats; multivariant sources of threat intelligence; a robust mobilization plan to respond to attacks; and severity-assessment tools that are standardized across the economy.

4. Clearly defined laws for all forms of cybercrime

The cyber threat landscape is a rapidly evolving one, so it’s vital that laws adapt and evolve to take account of this situation. Success largely depends on being able to decide which aspects of cybersecurity they wish to legislate, and which aspects they merely wish to provide guidance on. The Budapest Convention provides a good framework for governments to follow and is currently adhered to by over 60 nations. It outlines that countries would do well to enact both procedural and substantive laws to not only define the authority and responsibilities for each country but also the ways in which they will be enacted. The global nature of cybercrime means that countries should also strive to participate in global efforts to share intelligence and threats, while also collaborating on the investigation of cybercrime.

5. A robust and vibrant cybersecurity ecosystem

Last, but not least, cybersecurity is something that affects all of society, so governments will need to bring in help from the private sector, the cybersecurity community, and citizens to develop the most robust national strategy possible. The most successful nations have been able to cultivate an ecosystem of cybersecurity-related startups and entrepreneurs, while also developing a workforce with robust cybersecurity skills and a cyber-aware population that are familiar with the risks faced online and have appropriate digital hygiene habits. 

Society is infinitely better off when it is protected from the acts of cybercriminals. Doing so is by no means easy, but the best countries all have the above elements of their national strategy well covered. Their direction provides guidance for those who are not as advanced and show them what needs to be done to catch up. Given the constant threat of cyberattacks, it’s a process that no country can really afford to overlook.