Towards an inclusive cybersecurity capacity building approach

Event report

[Read more session reports and live updates from the 12th Internet Governance Forum]

Mr Belisario Contreras, Cyber Security Program Manager at the Organization of American States (OAS) welcomed participants and introduced the workshop and the panellists. Ms Lea Kaspar, Executive Director of Global Partners Digital (GPD), shared that the GPD facilitates meaningful engagement of civil society in the cybersecurity policy environment, and works on developing a framework which is issue-agnostic and stakeholder-agnostic. Mr Felix A. Barrio Juarez of the Spanish National Cybersecurity Institute stressed the importance of capacity building in cybersecurity, especially for the business community. Ms Carolin Weisser of the Global Cybersecurity Centre at the University of Oxford informed about the maturity model used to assess existing capacities of countries. The model was applied in 60 countries around the world. Weisser also shared that in collecting data, their methodology encourages stakeholders to participate in the assessment, and in practice includes stakeholder consultations over three days.

Ms Kaja Ciglic, Director of Cybersecurity Policy and Strategy at Microsoft, highlighted their cooperation with the Global Forum on Cyber Expertise (GFCE), OAS and the US government in capacity building (CB). According to Ciglic, CB efforts have also helped Microsoft to improve internal processes, and then to further share lessons learned by publishing policy papers and sharing best practices within the technical community. Ms Liesyl Franz, Senior Policy Adviser at the Office of the Coordinator for Cyber Issues at the US Department of State, explained that the US utilises a ‘whole-of-government’ approach with CB programmes, but also uses key principles – such as that the Internet must remain open, interoperable, secure, and reliable – to underpin such programmes. She reminded the group that states act as caretakers and have to work with other stakeholders in building a strategic framework and operational mechanisms, like CSIRT.

Mr Chris Painter, of the Global Commission on Stability of Cyberspace (GCSC), saw three types of CB:

• Technical, including those with law enforcement authorities (LEA) and CIRTs, to build skills;
• institutional, to build national strategies, instruments and CSIRTs, like what the OAS is doing;
• policy-making, to enable policy-makers to understand political aspects of cyberspace, like what UNIDIR and others are trying.

He emphasised the importance of linking these different types and praised the Global Forum on Cyber Expertise’s (GFCE)  work in providing such links and bringing various CB communities together.

Addressing challenges, Kaspar warned that multistakeholder approach is sometimes taken for granted: while it is an integral part of discussions on IG and within ICANN, this is not so with cybersecurity discussions which are related to the security community. She also warned of the securitisation of cybersecurity discussions and suggested that greater inclusiveness could help to offset this trend. Weisser added that another challenge is that some actors do not know each other and that the language and terminology can be different. Ciglic warned that sometimes different regulatory aspects – content regulation, network security, and cybercrime – are mixed together. Talking about good practices, she praised the US NIST cybersecurity framework as one that others should also look into.

Franz reminded the group that cyberspace is an evolving landscape, and there are no single or static solutions. Security is a journey, not a destination, she warned, and invited continuous re-assessment. She also emphasised that sectors are blurring and interdependence among sectors is growing, giving an example of the US framework for the critical infrastructure which was produced in a collaborative manner, while the NIST framework was convened by the National Institute for Technology but fuelled by the business and technical communities. She also praised the GFCE as a good framework to coordinate CB on global level. Juarez informed the group about the annual summer camps, as well as the open online courses on cybersecurity for small and medium enterprises (SMEs), organised together with the OAS. He also warned that there is an underrepresentation of women in cybersecurity as less than 10% of the workforce in cybersecurity in Europe are women.

Painter suggested that there is no need to shy away from the term cybersecurity, since one can put other important topics under it, including human rights. As for inclusiveness, he gave an example of work on cybersecurity strategy in Chile, which was developed by the military structures but was nevertheless inclusive of other stakeholders. He also warned that many countries do not have a multistakeholder tradition, and that can be a challenge, but also an opportunity to establish such a mindset through cybersecurity efforts. Contreras built up on the involvement of women, asking how stakeholders can help bridge the gender gap. Ciglic responded that this is a long-term issue, and suggested educating girls across the board, starting with the awareness among small children. Kaspar underlined that there is no formula or number of women or any other stakeholder that needs to be in place to make capacity building work. Weisser added that inclusion should not exist solely for sake of inclusion.

A question from the audience raised the issue of involvement of LEAs in reporting crimes and asked what would be the most desirable education background for cybersecurity. Painter responded that there needs to be better education of LEAs and the public on reporting incidents; he also commented that no particular career path is a mandate. Franz warned that it is also important that people are aware of the numbers to call, instead of calling their providers, and informed the group about the US awareness raising programme by the National Cybersecurity Alliance. A comment from the audience noted that some companies look for passion in cybersecurity, instead of a specific profile, and suggested several approaches for cyber CB, including a holistic multidisciplinary approach which can also encourage the involvement of more stakeholders. The participant also suggested an interactive and engaging format of CB to enable knowledge-sharing with a global approach to allow sharing of experiences, and then warned that CB is a comprehensive process with multiple components including, but not limited to, training and courses, as well as fellowships to the IGF.

Another question was how can a principle of ‘do no harm be incorporated into CB – for instance, while training LEAs, to encourage them not to break or ban encryption. Painter said this may be an issue particularly in less democratic environments, and that a balanced approach is needed. Franz added that ‘whole-of-government’ approach can help, by bringing in departments that are also concerned with other issues, like human rights. She also suggested that CB beneficiaries may be advised to run an open debate on such issues.

Kaspar also added that the framing of cybersecurity as a national security issue may be problematic, and reminded the group of the human-centred definition of cybersecurity developed by the Working Group of the Freedom Online Coalition. Juarez added that LEAs and the technical community should also build capacities to protect democratic values. In closing, Weisser added that a regional approach to CB may be beneficial, as it takes into consideration cultural aspects and existing relationships of trust.

By Vladimir Radunović