This module is a resource for lecturers
International cooperation on cybersecurity matters
The International Telecommunications Union ( ITU), a United Nations agency that is considered the "premier global forum through which parties work towards consensus on a wide range of issues affecting the future direction of the ICT industry" (ITU, n.d.), launched the Global Cybersecurity Agenda , which is "a framework for international cooperation aimed at enhancing confidence and security in the information society" (ITU, n.d.). The ITU Global Cybersecurity Agenda identifies five strategic pillars: legal, technical, organizational, capacity-building, and cooperation (see Image 3).
Image 3: Pillars of the Global Cybersecurity Index
Source: Acayo, Grace. (2017). Global Cybersecurity Index Overview. International Telecommunication Union, 2nd Annual Meeting of Community of Practice on Composite Indicators and Scoreboards (9-10 November 2017, Ispra, Italy), slide 5.
The legal pillar focuses on harmonized regulations and laws relating to cybersecurity and cyber-dependent and cyber-facilitated crimes. Cases in point are cybercrime laws (see Cybercrime Modules 2 and 3), data protection laws and regulation (see Cybercrime Module 10), cybersecurity laws, and other related laws (e.g., Denmark, Danish Data Protection Act of 2018; Fiji, Crimes Decree 2009: Division 6 - Computer Offences; and United Arab Emirates, Federal Law No. (1) of 2006 on Electronic Commerce and Transactions; and the United Kingdom, Computer Misuse Act of 1990 and Data Protection Act of 2018. For more information about this pillar, see ITU, 2015; ITU, 2017).
The technical pillar covers existing technical institutions, cybersecurity standards and protocols, and the measures needed to deal with cybersecurity threats. An example of a technical institution is a Computer Emergency Response Team (CERT), which is defined as "an organization or team that provides, to a well-defined constituency, services and support for both preventing and responding to computer security incidents" (Wahid, 2016). CERTs vary in capabilities depending on the range and combination of reactive, proactive and/or security quality management services offered (CMU-SEI, 2006). For example, these services can include promptly responding to an incident so that the attack can be quickly contained and investigated, and to facilitate rapid recovery to a pre-incident state (Borodkin, 2001). In addition to incident response, a CERT may engage in other activities, such as conducting vulnerability assessments and providing security briefings; these additional activities depend on the organization (Proffitt, 2007). Countries can have national, government, and sector-specific CERTs and Computer Security Incident Response Teams (or CSIRTs), or a combination of some or all of these (for more information about this pillar, see ITU, 2015; ITU, 2017). CERTs/CSIRTs have also created groups within their regions to share information and coordinate activities, among other things (e.g., Asia-Pacific CERT or APCERT; Africa CERT or AfricaCERT).
Did you know?
CERT® is a registered trademark of the Software Engineering Institute of Carnegie Mellon University. CSIRTs can request authorization to use the CERT mark. This website includes the steps that should be taken by a CSIRT to receive authorization to use the CERT mark.
The organizational pillar includes organizational structures and policies on cybersecurity and responsible agencies for coordinating cybersecurity policy. National cybersecurity strategies and national cybersecurity frameworks are included in this pillar, as well as the regulatory bodies that oversee the implementation of these strategies and frameworks (e.g., the Cyber Security Council in Iceland; the Federal Office for Information Security in Germany; the Office of Cybersecurity and Information Assurance in the United Kingdom; the Ministry of Science, ICT and Future Planning in the Republic of Korea; and the National Planning Department and the Ministry of Information Technologies and Communications in Colombia, to name a few (for more information about this pillar, see ITU, 2015; ITU, 2017).
The capacity-building pillar covers efforts to promote cybersecurity awareness, education and training. Examples include public awareness campaigns, cybersecurity research and development, professional training, and national education programmes and curricula. For example, in the Dominican Republic, "[t]he National Commission for Information Society and Knowledge (CNSIC) has an officially recognized national awareness program that promotes norms, values and social behaviours that contribute to integrity, creativity and innovation in navigating cyberspace" (ITU, 2015, p. 171; for more information about this pillar, see ITU, 2015; ITU, 2017). Related cybersecurity awareness and education campaigns have been launched by other countries as well (see box on "Examples of National and InternationalCybersecurity Awareness and Education Campaigns"). In addition to these cybersecurity awareness and education campaigns, the ITU provides tools to assist countries in their capacity building efforts. These tools are designed to "capture information about specific threats targeting the country" (Honeypot Research Network or HORNET ) and "aggregate and disseminate relevant incident data" (Abuse Watch Alerting and Reporting Engine or AWARE ) (ITU, n.d.).
Examples of National and International Cybersecurity Awareness and Education Campaigns
AustraliaAustralia has a Stay Smart Online campaign that provides individuals and small businesses with information about how to protect themselves from and reduce the risk of cybersecurity threats. Moreover, Australia's Office of the eSafety Commission website promotes online safety by providing education resources for children, parents, and others, informing them about various forms of cybercrimes (particularly interpersonal cybercrimes, discussed in Cybercrime Module 12) and ways they can protect themselves online, and providing users with the option to report certain cybercrimes via the website. For example, the Office has an image-based abuse online reporting portal , where victims can report instances of their nude or sexual images being shared (uploaded/distributed) without their consent. The Office then endeavour to locate the images and work with the relevant social media or internet intermediary (and in some cases, individual perpetrators) to have the images taken down and deleted (Flynn and Henry, forthcoming).
CanadaIn Canada, Get Cyber Safe provides individuals and businesses with information about cybersecurity risks and the ways in which individuals and business can protect themselves from cybersecurity threats.
United KingdomThe United Kingdom's GetSafeOnline campaign is a cybersecurity awareness initiative that affords individuals information on safe practices at home and in the workplace.
United StatesThe National Cyber Security Alliance's StaySafeOnline initiative offers people information about safe Internet practices, cybercrimes, securing key online accounts and digital devices, and privacy management. The National Cybersecurity Awareness Month (NCSAM), observed every October, was launched in 2004 by a public-private partnership (i.e., the National Cyber Security Alliance and the US Department of Homeland Security) whose objective is to provide the resources people need to navigate the Internet safely and utilize digital devices securely. Likewise, the European Cyber Security Month (ECSM), a cybersecurity awareness campaign that is similarly observed every October, seeks to inform individuals about cybercrime and cybersecurity in an effort to modify unsafe Internet practices. What is more, Safer Internet Day (SID) is celebrated globally in February every year to promote safety and encourage healthy and happy online communities.The US Department of Homeland Security (DHS) also created an international cybersecurity education and awareness campaign known as STOP. THINK. CONNECT.™ . Businesses, national government ministries, and national-scope NGOs in, for example, Bolivia, Panama, Mongolia, Tonga, Nigeria, Trinidad and Tobago, Antigua and Barbuda, Jamaica, India and Japan (to a name a few) have adopted and deployed this type of awareness campaign (Anti-Phishing Working Group, n.d.). The US Department of Homeland Security created an information packet for its STOP. THINK. CONNECT.™ campaign to enable other countries to launch similar domestic campaigns within their own countries. This packet includes a best practices checklist, a sample communications plan, and cybersecurity awareness campaign metrics (European Cyber Security Month, n.d.).
South AfricaSouth Africa has deployed several cybersecurity awareness campaigns led solely by academe, private organizations, and government agencies (Dlamini and Modise, 2012). Moreover, South Africa's Department of Telecommunications and Postal Services created a Cybersecurity Hub , which includes information and resources on protective measures against cybercrime and cybersecurity awareness campaigns. Like the United States and other countries, South Africa has a cybersecurity awareness campaign, which is observed annually in October (Pazvakavambwa, 2016).
CyberBayKin, a Myanmar Cyber Security Campaign, was launched in 2018 to raise awareness about cyber safety and risk in Myanmar. It is initiated by Monash University (Australia) and Kernellix Co., Ltd. (Myanmar), in collaboration with the Myanmar Ministry of Transport and Communications National Cyber Security Centre. Six Myanmar comic characters have been designed for the campaign are introduced at the launch. The year-long campaign will see fortnightly cybersecurity awareness comic illustrations appear on the campaign facebook platform. It is supported and funded by the Australian Department of Foreign Affairs and Trade under the International Cyber Engagement Strategy and the School of Social Sciences at Monash University (CyberBayKin, 2018).
The cooperation pillar focuses on inter-agency and public-private partnerships, information sharing networks, and cooperative agreements. A case in point is Australia's International Cyber Engagement Strategy to enhance public-private collaboration and collaboration between countries. Other examples include countries' partnerships and information exchange with the ITU, European Union Agency for Network and Information Security (ENISA), Organization for Security and Co-operation in Europe (OSCE), and North Atlantic Treaty Organization (NATO), and cooperative agreements, such as the Council of Europe's Convention on Cybercrime of 2001, Commonwealth of Independent States' Agreement on Cooperation in Combating Offences related to Computer Information of 2001, the League of Arab States' Arab Convention on Combating Information Technology Offences of 2010, and the African Union Convention on Cyber Security and Personal Data Protection of 2014, to name a few (for more information about this pillar, see ITU, 2015; ITU, 2017).
A comparative analysis by the Organisation for Economic Co-operation and Development (OECD) (2012) of national cybersecurity strategies in ten countries (Australia, Canada, Finland, France, Germany, Japan, the Netherlands, Spain, the United States, and the United Kingdom), revealed differences in definitions of cybersecurity, but similarities in the countries' approaches to dealing with cybersecurity in a comprehensive manner, by including content from each legal, technical, organizational, capacity building, and cooperation pillar to varying degrees.
To create a comprehensive and effective national cybersecurity strategy, the 2018 ITU Guide to Developing a National Cybersecurity Strategy proposes the inclusion of the following thematic areas in the strategy: governance (discussed in this Module); risk management (i.e., the process of identifying, evaluating, and controlling and/or eliminating threats; discussed in Cybercrime Module 9); preparedness and resilience (discussed in Cybercrime Module 9); critical infrastructure services and essential services (discussed in Cybercrime Module 14); capacity and capacity building and awareness raising (discussed in this Module and Cybercrime Module 7); legislation and regulation (discussed in Cybercrime Modules 2, 3 and 10); and international cooperation (discussed in Cybercrime Module 7). Other organizations have also provided guidance on the development of cybersecurity policy and regulatory frameworks, technical and organizational measures, capacity building, and cooperation (e.g., the Commonwealth Telecommunications Organization's Commonwealth Cybergovernance Model of 2014).
Next: Cybersecurity posture