How to set the standard for cyber security? Guidelines and good practices

Event report

[Read more session reports from the WSIS Forum 2018]

The moderator of the thematic workshop, Mr Marco Obiso, International Telecommunication Union (ITU), introduced the themes of the workshop: cybersecurity standards with a possible extension to Internet standards, and the possibility for standards to facilitate and improve the development of the cybersecurity culture on a global level.

Ms Manon van Tienhoven, Global Forum on Cyber Expertise (GFCE) Secretariat, presented their platform as being a global, informal, bottom-up, global forum, where its members (countries, international organisations, and private companies) come together to exchange best practices and expertise on cyber capacity building. Together with the GFCE’s partners (technical community, think-tanks, and civil society), members build best practices on cyber capacity building. The core objective of the GFCE is to identify successful policies, practices , and ideas to multiply on a global level. During 2018 and 2019, the GFCE plans to facilitate and coordinate knowledge and expertise sharing for the implementation of cyber capacity building, through the work of the GFCE Working Groups. Each working group focuses on five themes identified in the Delhi Communique. Van Tienhoven underlined that setting the standard for cybersecurity means guidelines and good practices, but also lessons learned.

Mr Dejan Dincic, DiploFoundation, spoke about the importance of the context in which good practices on cybersecurity are found. Good practices often depend on the local context and if the same practices are implemented in another context, there is a possibility that they will not work in the same way. However, cybersecurity is global and cyberspace is interconnected, which is why the possibility of replicating good practices in another context was considered. An important issue was applying capacity development practices from other fields to the cybersecurity field, which meant applying systemic and comprehensive approaches to capacity building. Solving particular problems is not enough, understanding the social and economic context in which the problem is occurring needs to be taken into consideration as well, Dincic stated. Documenting and communicating good practices was also challenging – they needed to be presented in a practice-oriented and approachable way; they had to be easy to find, key elements had to be clearly stated, their use had to be clear etc.

Mr Maarten Botterman, Internet Infrastructure Initiative, explained that the initiative is a GFCE capacity building project. It aims to help build a robust, transparent, and resilient Internet infrastructure – which is key to countering infringements and threats to the cyber domain, diminishing the chances and impact of cyber-attacks and cybercrime, enabling the public to maintain confidence and trust, and it is a precondition for the use of the Internet as a means to boosting innovative and economic activities. The initiative seeks to ameliorate the local know-how in applying, testing, and monitoring of open Internet standards. Its key elements include national Internet infrastructure protection, Internet exchange points, registries, open source software, e-mail security, and routing security. Botterman recommended focusing on open Internet standards that are already accepted. The initiative plans to set up capacity building events, targeted at the regions that are catching up, bringing together regional stakeholders, raising awareness on open Internet tools, presenting good practice examples, and creating impact through a joint commitment for action. These events are supported by GFCE members, regional Internet registries, the Internet Society, and the Ministry of Economic Affairs of Netherlands. Botterman also gave some examples of good practices: the multistakeholder platform and Internet.nl.

Dr Abdullah Salim Al-Balushi, Information Technology Authority, Oman, presented the his country’s experience and learned lessons. The Global Cybersecurity Index 2017 lists Oman as the fourth country globally in terms of cyber wellness. Cybersecurity has become a national policy priority in Oman. The Cybersecurity Framework drafted in Oman focuses on identifying cybersecurity risks, production, detection, risk, and recovery. Moreover, Salim Al-Balushi noted that Oman has cybersecurity support services which help businesses modify standards to their specific context. Oman also offers training and awareness building programmes. Al-Balushi then briefly presented the main domains of Oman’s e-governance Framework, which contains 265 standards and specialisations and 150 design considerations and best practices. Key lessons in Oman include the necessity for a cybersecurity posture assessment, for a multistakeholder approach to developing standards for cybersecurity, for private-public partnerships, and for selecting a baseline and a model to measure capabilities.

By Andrijana Gavrilović