Costa Rica’s national cybersecurity strategy 2023-2027

September 2023

View the original document

Strategies and Action Plans

Author: Ministry of Science, Innovation, Technology and Telecommunications

Costa Rica’s national cybersecurity strategy 2023-2027, elaborated by the Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones (MICITT), is a comprehensive framework designed to strengthen the country’s digital security after a period of major cyber incidents. It builds on the 2017–2021 strategy, incorporates lessons from the large-scale ransomware attacks of 2022, and aligns with Costa Rica’s broader national policies, such as the Plan Nacional de Desarrollo e Inversión Pública 2023–2026 and the Estrategia Nacional de Transformación Digital 2023–2027.

Context and guiding principles

The strategy responds to an evolving cyber threat landscape, marked by ransomware, phishing, online scams, and critical infrastructure attacks. It takes a whole-of-society approach, recognising the role of government, the private sector, academia, and civil society. It is also strongly rights-based and human-centric, ensuring cybersecurity does not undermine human rights, equality, or inclusion. Four cross-cutting approaches guide its implementation: risk management and mitigation, respect for human rights, inclusivity, and a focus on people’s diverse and intersecting vulnerabilities.

Vision, mission, and objectives

  • Vision (2027): a trustworthy digital ecosystem in Costa Rica that contributes to global cybersecurity efforts.
  • Mission: to establish an integrated framework to prevent and mitigate cyber risks, strengthen response capacity, foster innovation, promote a strong security culture, and protect personal and critical information.
  • General Objective: to ensure a secure, resilient, and inclusive national cybersecurity ecosystem that protects citizens, institutions, and infrastructure.

Strategic pillars

The strategy is structured around five pillars:

  1. Strengthen cybersecurity governance – consolidating MICITT’s leadership, establishing clear roles, improving coordination, and optimising public investments.
  2. Update the cyber legal framework – adapting laws and technical regulations to emerging threats, ensuring enforcement, and incorporating protections against gender-based digital violence.
  3. Protect infrastructures and enhance national cyber resilience – identifying and safeguarding critical infrastructures, creating a National Security Operations Center (SOC-CR), and improving risk monitoring, detection, and incident response.
  4. Reinforce ecosystem capacities – education and training at all levels, workforce development, gender gap reduction, public awareness campaigns, and promotion of R&D in cybersecurity.
  5. Cooperate in the digital environment – enhancing national and international collaboration, cyber diplomacy, public-private partnerships, and participation in global forums.

Interventions and alignment

The strategy includes public interventions tied to national development plans, such as training nearly 26,000 people in cybersecurity awareness and conducting 40 activities on cyber diplomacy and security. It also integrates gender and diversity perspectives, aiming to reduce online risks for vulnerable groups and strengthen law enforcement’s capacity to address cybercrimes like online gender violence and child exploitation.

Implementation and follow-up

Implementation is anchored in a governance model led by MICITT and CSIRT-CR, with mechanisms for monitoring, evaluation, and continuous risk management. The strategy emphasises accountability, regular assessments, and inclusive participation. It also stresses the importance of international cooperation, referencing commitments such as the Budapest Convention on Cybercrime and its Second Additional Protocol, and collaboration with organisations like the OAS/CICTE.